Platform
other
Component
webray.com.cn
Fixed in
1.0.1
CVE-2022-1816 is a problematic cross-site scripting (XSS) vulnerability identified in the Zoo Management System Content Module, specifically within the /zoo/admin/publichtml/viewaccounts?type=zookeeper endpoint. This vulnerability allows an attacker to inject malicious scripts into the application, potentially compromising user accounts and data. The vulnerability affects versions 1.0 of the Zoo Management System. Mitigation involves input sanitization and upgrading to a patched version when available.
An attacker can exploit this XSS vulnerability by injecting malicious JavaScript code through the adminname parameter in the /zoo/admin/publichtml/view_accounts?type=zookeeper endpoint. Successful exploitation allows the attacker to execute arbitrary JavaScript code in the context of the user's browser session. This could lead to session hijacking, unauthorized access to sensitive data, defacement of the application, or redirection to malicious websites. The impact is particularly severe if the administrator account is targeted, as this could grant the attacker full control over the Zoo Management System.
CVE-2022-1816 details were publicly disclosed on 2022-05-23. A public proof-of-concept (POC) is available, indicating a low to medium probability of exploitation. The vulnerability is not currently listed on CISA KEV. The ease of exploitation, combined with the potential impact, warrants careful monitoring and mitigation.
Exploit Status
EPSS
0.18% (40% percentile)
CVSS Vector
The primary mitigation for CVE-2022-1816 is to upgrade to a patched version of the Zoo Management System when available. Until a patch is released, implement input sanitization on the adminname parameter to prevent the injection of malicious scripts. This can be achieved by using a web application firewall (WAF) with XSS filtering rules or by implementing server-side validation to ensure that the input only contains expected characters. Additionally, consider restricting access to the /zoo/admin/publichtml/view_accounts?type=zookeeper endpoint to authorized users only.
Update the Zoo Management System to a patched version that resolves the XSS vulnerability. If no version is available, it is recommended to disable or remove the affected content module until a fix is released.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2022-1816 is a cross-site scripting (XSS) vulnerability in the Zoo Management System Content Module, allowing attackers to inject malicious scripts via the admin_name parameter.
If you are using Zoo Management System version 1.0, you are potentially affected by this vulnerability. Upgrade to a patched version as soon as it becomes available.
The recommended fix is to upgrade to a patched version of the Zoo Management System. As an interim measure, implement input sanitization and WAF rules to prevent script injection.
While active exploitation is not confirmed, a public proof-of-concept exists, indicating a potential risk of exploitation.
Refer to the Zoo Management System's official website or security advisory page for updates and information regarding CVE-2022-1816.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.