CVE-2019-7337
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
1Exploited in Wild
-Decision
Descriptions
Reflected Cross Site Scripting (XSS) exists in ZoneMinder through 1.32.3 as the view 'events' (events.php) insecurely displays the limit parameter value, without applying any proper output filtration. This issue exists because of the function sortHeader() in functions.php, which insecurely returns the value of the limit query string parameter without applying any filtration.
Existe Cross-Site Scripting (XSS) reflejado en ZoneMinder, hasta la versión 1.32.3, ya que la vista "events" (events.php) muestra de forma insegura el valor del parámetro limit sin aplicar ningún filtrado de salidas adecuado. Este problema existe debido a la función sortHeader() en functions.php, lo que devuelve de forma insegura el valor del parámetro de cadena de consulta "limit" sin aplicar ningún filtro.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2019-02-04 CVE Reserved
- 2019-02-04 CVE Published
- 2024-04-25 EPSS Updated
- 2024-09-17 CVE Updated
- 2024-09-17 First Exploit
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CAPEC
References (1)
| URL | Tag | Source |
|---|
| URL | Date | SRC |
|---|---|---|
| https://github.com/ZoneMinder/zoneminder/issues/2456 | 2024-09-17 |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Zoneminder Search vendor "Zoneminder" | Zoneminder Search vendor "Zoneminder" for product "Zoneminder" | <= 1.32.3 Search vendor "Zoneminder" for product "Zoneminder" and version " <= 1.32.3" | - |
Affected
| ||||||