Scan free
LOWCVE-2022-1816CVSS 3.5

CVE-2022-1816: XSS in Zoo Management System Content Module

Platform

other

Component

webray.com.cn

Fixed in

1.0.1

AI Confidence: highNVDEPSS 0.2%Reviewed: May 2026
View on NVD
Save

CVE-2022-1816 is a problematic cross-site scripting (XSS) vulnerability identified in the Zoo Management System Content Module, specifically within the /zoo/admin/publichtml/viewaccounts?type=zookeeper endpoint. This vulnerability allows an attacker to inject malicious scripts into the application, potentially compromising user accounts and data. The vulnerability affects versions 1.0 of the Zoo Management System. Mitigation involves input sanitization and upgrading to a patched version when available.

Impact and Attack Scenarios

An attacker can exploit this XSS vulnerability by injecting malicious JavaScript code through the adminname parameter in the /zoo/admin/publichtml/view_accounts?type=zookeeper endpoint. Successful exploitation allows the attacker to execute arbitrary JavaScript code in the context of the user's browser session. This could lead to session hijacking, unauthorized access to sensitive data, defacement of the application, or redirection to malicious websites. The impact is particularly severe if the administrator account is targeted, as this could grant the attacker full control over the Zoo Management System.

Exploitation Context

CVE-2022-1816 details were publicly disclosed on 2022-05-23. A public proof-of-concept (POC) is available, indicating a low to medium probability of exploitation. The vulnerability is not currently listed on CISA KEV. The ease of exploitation, combined with the potential impact, warrants careful monitoring and mitigation.

Threat Intelligence

Exploit Status

Proof of ConceptUnknown
CISA KEVNO
Internet ExposureHigh

EPSS

0.18% (40% percentile)

CVSS Vector

THREAT INTELLIGENCE· CVSS 3.1CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N3.5LOWAttack VectorNetworkHow the attacker reaches the targetAttack ComplexityLowConditions required to exploitPrivileges RequiredLowAuthentication level needed to attackUser InteractionRequiredWhether a victim must take actionScopeUnchangedImpact beyond the vulnerable componentConfidentialityNoneRisk of sensitive data exposureIntegrityLowRisk of unauthorized data modificationAvailabilityNoneRisk of service disruptionnextguardhq.com · CVSS v3.1 Base Score
What do these metrics mean?
Attack Vector
Network — remotely exploitable over the internet. No physical or local access required. Widest attack surface.
Attack Complexity
Low — no special conditions required. Attacker can exploit reliably without depending on rare configurations or timing.
Privileges Required
Low — any valid user account is sufficient. Basic authenticated access required.
User Interaction
Required — victim must take an action: open a file, click a link, or visit a crafted page.
Scope
Unchanged — impact is limited to the vulnerable component itself.
Confidentiality
None — no confidentiality impact. Attacker cannot read protected data.
Integrity
Low — attacker can modify some data with limited scope or impact.
Availability
None — no availability impact. Service remains fully operational.

Affected Software

Componentwebray.com.cn
Vendorunspecified
Affected rangeFixed in
1.0 – 1.01.0.1

Weakness Classification (CWE)

CWE-79

Timeline

  1. Reserved
  2. Published
  3. Modified
  4. EPSS updated
Unpatched — 1462 days since disclosure

Mitigation and Workarounds

The primary mitigation for CVE-2022-1816 is to upgrade to a patched version of the Zoo Management System when available. Until a patch is released, implement input sanitization on the adminname parameter to prevent the injection of malicious scripts. This can be achieved by using a web application firewall (WAF) with XSS filtering rules or by implementing server-side validation to ensure that the input only contains expected characters. Additionally, consider restricting access to the /zoo/admin/publichtml/view_accounts?type=zookeeper endpoint to authorized users only.

How to fix

Update the Zoo Management System to a patched version that resolves the XSS vulnerability. If no version is available, it is recommended to disable or remove the affected content module until a fix is released.

CVE Security Newsletter

Vulnerability analysis and critical alerts directly to your inbox.

Frequently asked questions

What is CVE-2022-1816 — XSS in Zoo Management System Content Module?

CVE-2022-1816 is a cross-site scripting (XSS) vulnerability in the Zoo Management System Content Module, allowing attackers to inject malicious scripts via the admin_name parameter.

Am I affected by CVE-2022-1816 in Zoo Management System?

If you are using Zoo Management System version 1.0, you are potentially affected by this vulnerability. Upgrade to a patched version as soon as it becomes available.

How do I fix CVE-2022-1816 in Zoo Management System?

The recommended fix is to upgrade to a patched version of the Zoo Management System. As an interim measure, implement input sanitization and WAF rules to prevent script injection.

Is CVE-2022-1816 being actively exploited?

While active exploitation is not confirmed, a public proof-of-concept exists, indicating a potential risk of exploitation.

Where can I find the official Zoo Management System advisory for CVE-2022-1816?

Refer to the Zoo Management System's official website or security advisory page for updates and information regarding CVE-2022-1816.

Is your project affected?

Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.

Scan freeSearch CVEs