Miggo Logo
Miggo Vulnerability Database
CVE-2022-32172

CVE-2022-32172: Zinc Cross-site Scripting vulnerability

5.4

CVSS Score
3.1

Basic Information

CVE ID
CVE-2022-32172
GHSA ID
GHSA-7j6x-42mm-p7jm
EPSS Score
0.62615%
CWE
CWE-79
Published
7/6/2023
Updated
7/6/2023
KEV Status
No
Technology
TechnologyGo

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
github.com/zincsearch/zincsearchgo>= 0.1.9, < 0.3.20.3.2
github.com/zinclabs/zincgo>= 0.1.9, < 0.3.20.3.2

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The commit diff shows the vulnerability was patched by adding HTML escaping to props.row.name in Template.vue's deletion dialog. The unescaped insertion of user-controlled template names into HTML markup via the confirmation message (props.row.name) directly enabled XSS. The User.vue change was a related defensive fix but not the primary vulnerability vector described in CVE-2022-32172, which specifically references template deletion as the trigger.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

In Zin*, v*rsions v*.*.* t*rou** v*.*.* *r* vuln*r**l* to Stor** *ross-Sit* S*riptin* w**n usin* t** **l*t* t*mpl*t* *un*tion*lity. W**n *n *ut**nti**t** us*r **l*t*s * t*mpl*t* wit* * XSS p*ylo** in t** n*m* *i*l*, t** J*v*s*ript p*ylo** will ** *x*

Reasoning

T** *ommit *i** s*ows t** vuln*r**ility w*s p*t**** *y ***in* *TML *s**pin* to props.row.n*m* in T*mpl*t*.vu*'s **l*tion *i*lo*. T** un*s**p** ins*rtion o* us*r-*ontroll** t*mpl*t* n*m*s into *TML m*rkup vi* t** *on*irm*tion m*ss*** (props.row.n*m*)