Page 3 of 19 results (0.006 seconds)

CVSS: 8.9EPSS: 0%CPEs: 2EXPL: 0

CVE-2023-26032 – ZoneMinder contains SQL injection via malicious Jason Web Token

https://notcve.org/view.php?id=CVE-2023-26032

ZoneMinder is a free, open source Closed-circuit television software application for Linux which supports IP, USB and Analog cameras. Versions prior to 1.36.33 and 1.37.33 contain SQL Injection via malicious jason web token. The Username field of the JWT token was trusted when performing an SQL query to load the user. If an attacker could determine the HASH key used by ZoneMinder, they could generate a malicious JWT token and use it to execute arbitrary SQL. This issue is fixed in versions 1.36.33 and 1.37.33. • https://github.com/ZoneMinder/zoneminder/security/advisories/GHSA-6c72-q9mw-mwx9 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •

CVSS: 7.7EPSS: 0%CPEs: 2EXPL: 1

CVE-2023-25825 – ZoneMinder contains Cross-site Scripting via log viewing

https://notcve.org/view.php?id=CVE-2023-25825

ZoneMinder is a free, open source Closed-circuit television software application for Linux which supports IP, USB and Analog cameras. Versions prior to 1.36.33 are vulnerable to Cross-site Scripting. Log entries can be injected into the database logs, containing a malicious referrer field. This is unescaped when viewing the logs in the web ui. This issue is patched in version 1.36.33. • https://github.com/ZoneMinder/zoneminder/commit/4637eaf9ea530193e0897ec48899f5638bdd6d81 https://github.com/ZoneMinder/zoneminder/commit/57bf25d39f12d620693f26068b8441b4f3f0b6c0 https://github.com/ZoneMinder/zoneminder/commit/e1028c1d7f23cc1e0941b7b37bb6ae5a04364308 https://github.com/ZoneMinder/zoneminder/security/advisories/GHSA-68vf-g4qm-jr6v • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 0

CVE-2022-30768

https://notcve.org/view.php?id=CVE-2022-30768

A Stored Cross Site Scripting (XSS) issue in ZoneMinder 1.36.12 allows an attacker to execute HTML or JavaScript code via the Username field when an Admin (or non-Admin users that can see other users logged into the platform) clicks on Logout. NOTE: this exists in later versions than CVE-2019-7348 and requires a different attack method. Un problema de Cross Site Scripting (XSS) almacenado en ZoneMinder 1.36.12 permite a un atacante ejecutar código HTML o JavaScript a través del campo Nombre de Usuario cuando un Administrador (o usuarios no Administradores que pueden ver a otros usuarios conectados a la plataforma) hacen clic en Cerrar Sesión. NOTA: esto existe en versiones posteriores a CVE-2019-7348 y requiere un método de ataque diferente. • https://github.com/ZoneMinder/zoneminder/releases https://medium.com/%40dk50u1/stored-xss-in-zoneminder-up-to-v1-36-12-f26b4bb68c31 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 4.6EPSS: 0%CPEs: 1EXPL: 0

CVE-2022-30769

https://notcve.org/view.php?id=CVE-2022-30769

Session fixation exists in ZoneMinder through 1.36.12 as an attacker can poison a session cookie to the next logged-in user. La fijación de sesiones existe en ZoneMinder hasta la versión 1.36.12, ya que un atacante puede envenenar una cookie de sesión para el siguiente usuario que haya iniciado sesión. • https://github.com/ZoneMinder/zoneminder/releases https://medium.com/%40dk50u1/session-fixation-in-zoneminder-up-to-v1-36-12-3c850b1fbbf3 • CWE-384: Session Fixation •

CVSS: 5.4EPSS: 0%CPEs: 2EXPL: 2

CVE-2022-39291 – Denial of service through logs in zoneminder

https://notcve.org/view.php?id=CVE-2022-39291

ZoneMinder is a free, open source Closed-circuit television software application. Affected versions of zoneminder are subject to a vulnerability which allows users with "View" system permissions to inject new data into the logs stored by Zoneminder. This was observed through an HTTP POST request containing log information to the "/zm/index.php" endpoint. Submission is not rate controlled and could affect database performance and/or consume all storage resources. Users are advised to upgrade. • https://www.exploit-db.com/exploits/51071 http://packetstormsecurity.com/files/171498/Zoneminder-Log-Injection-XSS-Cross-Site-Request-Forgery.html https://github.com/ZoneMinder/zoneminder/commit/34ffd92bf123070cab6c83ad4cfe6297dd0ed0b4 https://github.com/ZoneMinder/zoneminder/commit/73d9f2482cdcb238506388798d3cf92546f9e40c https://github.com/ZoneMinder/zoneminder/commit/cb3fc5907da21a5111ae54128a5d0b49ae755e9b https://github.com/ZoneMinder/zoneminder/commit/de2866f9574a2bf2690276fad53c91d607825408 https://github.com/ZoneMinder/zoneminder/security/advisories/GHSA-cfcx • CWE-20: Improper Input Validation •