In Zinc, versions v0.1.9 through v0.3.1 are vulnerable to Stored Cross-Site Scripting when using the delete user functionality. When an authenticated user deletes a user having a XSS payload in the user id field, the javascript payload will be executed and allow an attacker to access the userβs credentials.
Vendor | Product | Version | CPE |
---|---|---|---|
zinclabs | zinc | * | cpe:2.3:a:zinclabs:zinc:*:*:*:*:*:*:*:* |
zincsearch | zincsearch | * | cpe:2.3:a:zincsearch:zincsearch:*:*:*:*:*:*:*:* |