CVE-2022-32172 - OpenCVE

In Zinc, versions v0.1.9 through v0.3.1 are vulnerable to Stored Cross-Site Scripting when using the delete template functionality. When an authenticated user deletes a template with a XSS payload in the name field, the Javascript payload will be executed and allow an attacker to access the user’s credentials.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Zinclabs	Zinc

Configuration 1 [-]

cpe:2.3:a:zinclabs:zinc:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://github.com/zinclabs/zinc/commit/3376c248bade163430f9347742428f0a82cd322d
https://www.mend.io/vulnerability-database/CVE-2022-32172

History

No history.

MITRE

Status: PUBLISHED

Assigner: Mend

Published: 2022-10-06T17:13:36.407988Z

Updated: 2024-09-16T22:02:26.570Z

Reserved: 2022-05-31T00:00:00

Link: CVE-2022-32172

Vulnrichment

No data.

NVD

Status : Modified

Published: 2022-10-06T18:16:03.630

Modified: 2023-11-07T03:47:44.930

Link: CVE-2022-32172

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2022-32172", "assignerOrgId": "478c68dd-22c1-4a41-97cd-654224dfacff", "assignerShortName": "Mend", "datePublished": "2022-10-06T17:13:36.407988Z", "dateUpdated": "2024-09-16T22:02:26.570Z", "dateReserved": "2022-05-31T00:00:00"}, "containers": {"cna": {"title": "Zinc - Cross-Site Scripting", "datePublic": "2022-09-28T00:00:00", "providerMetadata": {"orgId": "478c68dd-22c1-4a41-97cd-654224dfacff", "shortName": "Mend", "dateUpdated": "2022-10-11T00:00:00"}, "descriptions": [{"lang": "en", "value": "In Zinc, versions v0.1.9 through v0.3.1 are vulnerable to Stored Cross-Site Scripting when using the delete template functionality. When an authenticated user deletes a template with a XSS payload in the name field, the Javascript payload will be executed and allow an attacker to access the user\u2019s credentials."}], "affected": [{"vendor": "zinc", "product": "zinc", "versions": [{"version": "v0.1.9", "status": "affected", "lessThan": "unspecified", "versionType": "custom"}, {"version": "unspecified", "lessThanOrEqual": "v0.3.1", "status": "affected", "versionType": "custom"}]}], "references": [{"url": "https://www.mend.io/vulnerability-database/CVE-2022-32172"}, {"url": "https://github.com/zinclabs/zinc/commit/3376c248bade163430f9347742428f0a82cd322d"}], "credits": [{"lang": "en", "value": "Mend Vulnerability Research Team (MVR)"}], "metrics": [{"other": {"type": "unknown", "content": {"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "version": 3.1, "baseScore": 5.4, "baseSeverity": "MEDIUM"}}}], "problemTypes": [{"descriptions": [{"type": "CWE", "lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79"}]}], "x_generator": {"engine": "Vulnogram 0.0.9"}, "source": {"advisory": "https://www.mend.io/vulnerability-database/", "discovery": "UNKNOWN"}, "solutions": [{"lang": "en", "value": "Update version to v0.3.2 or later"}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T07:32:56.002Z"}, "title": "CVE Program Container", "references": [{"url": "https://www.mend.io/vulnerability-database/CVE-2022-32172", "tags": ["x_transferred"]}, {"url": "https://github.com/zinclabs/zinc/commit/3376c248bade163430f9347742428f0a82cd322d", "tags": ["x_transferred"]}]}]}}