CVE-2022-39285

Stored Cross-Site Scripting Vulnerability In File Parameter in zoneminder

Severity Score

5.4

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

ZoneMinder is a free, open source Closed-circuit television software application The file parameter is vulnerable to a cross site scripting vulnerability (XSS) by backing out of the current "tr" "td" brackets. This then allows a malicious user to provide code that will execute when a user views the specific log on the "view=log" page. This vulnerability allows an attacker to store code within the logs that will be executed when loaded by a legitimate user. These actions will be performed with the permission of the victim. This could lead to data loss and/or further exploitation including account takeover. This issue has been addressed in versions `1.36.27` and `1.37.24`. Users are advised to upgrade. Users unable to upgrade should disable database logging.

ZoneMinder es una aplicación de software de televisión en circuito cerrado gratuita y de código abierto El parámetro de archivo es susceptible a una vulnerabilidad de tipo cross site scripting (XSS) al retroceder los corchetes "tr" "td" actuales. Esto permite entonces a un usuario malicioso proporcionar código que será ejecutado cuando un usuario visualice el registro específico en la página "view=log". Esta vulnerabilidad permite a un atacante almacenar código dentro de los registros que será ejecutado cuando sea cargado por un usuario legítimo. Estas acciones serán llevadas a cabo con el permiso de la víctima. Esto podría conllevar a una pérdida de datos y/o una explotación posterior, incluyendo la toma de control de la cuenta. Este problema ha sido abordado en versiones "1.36.27" y "1.37.24". Es recomendado a usuarios actualizar. Los usuarios que no puedan actualizarse deberán deshabilitar el registro de la base de datos

Zoneminder versions prior to 1.37.24 suffers from log injection, persistent cross site scripting, and cross site request forgery bypass vulnerabilities.

*Credits: N/A

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

Required

Scope

Changed

Confidentiality

Low

Integrity

Low

Availability

None

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

Required

Scope

Unchanged

Confidentiality

Low

Integrity

High

Availability

High

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2022-09-02 CVE Reserved
2022-10-07 CVE Published
2023-03-27 First Exploit
2024-04-29 EPSS Updated
2024-08-03 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date

CWE

CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CAPEC

References (5)

URL	Tag	Source
http://packetstormsecurity.com/files/171498/Zoneminder-Log-Injection-XSS-Cross-Site-Request-Forgery.html

URL	Date	SRC
https://www.exploit-db.com/exploits/51071	2023-03-27
https://github.com/ZoneMinder/zoneminder/security/advisories/GHSA-h6xp-cvwv-q433	2024-08-03

URL	Date	SRC
https://github.com/ZoneMinder/zoneminder/commit/c0a4c05e84eea0f6ccf7169c014efe5422c9ba0d	2023-03-27
https://github.com/ZoneMinder/zoneminder/commit/d289eb48601a76e34feea3c1683955337b1fae59	2023-03-27

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Zoneminder Search vendor "Zoneminder"		Zoneminder Search vendor "Zoneminder" for product "Zoneminder"				< 1.36.27 Search vendor "Zoneminder" for product "Zoneminder" and version " < 1.36.27"		-		Affected
Zoneminder Search vendor "Zoneminder"		Zoneminder Search vendor "Zoneminder" for product "Zoneminder"				> 1.37.0 < 1.37.24 Search vendor "Zoneminder" for product "Zoneminder" and version " > 1.37.0 < 1.37.24"		-		Affected