PT-2022-21134 · Zinc · Zinc
Published
2022-10-06
·
Updated
2024-08-20
·
CVE-2022-32171
CVSS v3.1
5.4
Medium
| Vector | AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
Zinc versions v0.1.9 through v0.3.1
Description
The issue is related to Stored Cross-Site Scripting when using the delete user functionality. When an authenticated user deletes a user having a XSS payload in the
user id field, the javascript payload will be executed and allow an attacker to access the user’s credentials.Recommendations
For versions v0.1.9 through v0.3.1, consider disabling the delete user functionality until a patch is available to prevent exploitation of the Stored Cross-Site Scripting vulnerability. Restrict access to the
delete user function to minimize the risk of credentials being accessed by an attacker. Avoid using the user id field in the delete user functionality until the issue is resolved.Fix
XSS
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Zinc