CVE-2019-7337

Name of the Vulnerable Software and Affected Versions ZoneMinder versions prior to 1.32.4

Description A Reflected Cross Site Scripting (XSS) issue exists due to the insecure display of the limit parameter value in the 'events' view (events.php) without proper output filtration. This is caused by the sortHeader() function in functions.php, which returns the value of the limit query string parameter without applying any filtration.

Recommendations For ZoneMinder versions prior to 1.32.4, consider disabling the sortHeader() function in functions.php until a patch is available, or restrict access to the 'events' view (events.php) to minimize the risk of exploitation. Avoid using the limit parameter in the affected view until the issue is resolved.