Lucene search

GitHub Advisory DatabaseGHSA-4FGV-8448-GF82

HistoryJul 06, 2023 - 7:24 p.m.

Zinc Cross-site Scripting vulnerability

2023-07-0619:24:00

CWE-79

GitHub Advisory Database

github.com

zinc

cross-site scripting

vulnerability

user credentials

delete user

stored cross-site scripting

EPSS

Percentile

12.6%

JSON

In Zinc, versions v0.1.9 through v0.3.1 are vulnerable to Stored Cross-Site Scripting when using the delete user functionality. When an authenticated user deletes a user having a XSS payload in the user id field, the javascript payload will be executed and allow an attacker to access the user’s credentials.

Affected configurations

Vulners

Node

zinclabszincRange0.1.9–0.3.2

zincsearchzincsearchRange0.1.9–0.3.2

VendorProductVersionCPE
zinclabszinc*cpe:2.3:a:zinclabs:zinc:*:*:*:*:*:*:*:*
zincsearchzincsearch*cpe:2.3:a:zincsearch:zincsearch:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
zinclabs	zinc	*	cpe:2.3:a:zinclabs:zinc::::::::
zincsearch	zincsearch	*	cpe:2.3:a:zincsearch:zincsearch::::::::

References

github.com/advisories/GHSA-4fgv-8448-gf82

github.com/zinclabs/zinc/commit/3376c248bade163430f9347742428f0a82cd322d

github.com/zincsearch/zincsearch/commit/3376c248bade163430f9347742428f0a82cd322d

nvd.nist.gov/vuln/detail/CVE-2022-32171

www.mend.io/vulnerability-database/CVE-2022-32171

EPSS

Percentile

12.6%

JSON

Related for GHSA-4FGV-8448-GF82