First published: Mon Feb 04 2019(Updated: )
Log Injection exists in ZoneMinder through 1.32.3, as an attacker can entice the victim to visit a specially crafted link, which in turn will inject a custom Log message provided by the attacker in the 'log' view page, as demonstrated by the message=User%20'admin'%20Logged%20in value.
Credit: cve@mitre.org
Affected Software | Affected Version | How to fix |
---|---|---|
Zoneminder Zoneminder | <=1.32.3 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
The vulnerability ID for this Log Injection vulnerability is CVE-2019-7351.
The severity of CVE-2019-7351 is medium with a CVSS score of 6.5.
Log Injection occurs in ZoneMinder when an attacker tricks a victim into visiting a specially crafted link that injects a customized log message.
ZoneMinder versions up to and including 1.32.3 are affected by CVE-2019-7351.
Yes, upgrading to a version later than 1.32.3 of ZoneMinder resolves the Log Injection vulnerability.