high
7.6
CWE
79
Advisory Published
Updated

CVE-2022-39285: Stored Cross-Site Scripting Vulnerability In File Parameter in zoneminder

First published: Fri Oct 07 2022(Updated: )

ZoneMinder is a free, open source Closed-circuit television software application The file parameter is vulnerable to a cross site scripting vulnerability (XSS) by backing out of the current "tr" "td" brackets. This then allows a malicious user to provide code that will execute when a user views the specific log on the "view=log" page. This vulnerability allows an attacker to store code within the logs that will be executed when loaded by a legitimate user. These actions will be performed with the permission of the victim. This could lead to data loss and/or further exploitation including account takeover. This issue has been addressed in versions `1.36.27` and `1.37.24`. Users are advised to upgrade. Users unable to upgrade should disable database logging.

Credit: security-advisories@github.com

Affected SoftwareAffected VersionHow to fix
Zoneminder Zoneminder<1.36.27
Zoneminder Zoneminder>1.37.0<1.37.24

Remedy

https://github.com/ZoneMinder/zoneminder/commit/c0a4c05e84eea0f6ccf7169c014efe5422c9ba0d

Remedy

https://github.com/ZoneMinder/zoneminder/commit/d289eb48601a76e34feea3c1683955337b1fae59

Remedy

https://github.com/ZoneMinder/zoneminder/security/advisories/GHSA-h6xp-cvwv-q433

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Read MoreStart Free Trial

Reference Links

Frequently Asked Questions

  • What is CVE-2022-39285?

    CVE-2022-39285 is a cross-site scripting (XSS) vulnerability in the file parameter of ZoneMinder, a free and open-source CCTV software application.

  • What is the severity of CVE-2022-39285?

    The severity of CVE-2022-39285 is high with a CVSS score of 5.4.

  • How does the vulnerability in CVE-2022-39285 work?

    The vulnerability in CVE-2022-39285 occurs when a malicious user provides code that will execute when a user views a certain page, by exploiting the file parameter in ZoneMinder.

  • Which versions of ZoneMinder are affected by CVE-2022-39285?

    ZoneMinder versions up to and including 1.36.27 and versions between 1.37.0 and 1.37.24 are affected by CVE-2022-39285.

  • How can I fix CVE-2022-39285?

    To fix CVE-2022-39285, users should update their ZoneMinder installation to a version that includes the patch for the vulnerability.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2024 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203