CVE-2019-7351

Name of the Vulnerable Software and Affected Versions ZoneMinder versions prior to 1.32.4

Description The issue allows an attacker to inject custom log messages into the system by enticing a victim to visit a specially crafted link. This is demonstrated through the message variable, where an attacker can inject a custom message, such as User 'admin' Logged in.

Recommendations For ZoneMinder versions prior to 1.32.4, update to version 1.32.4 or later to resolve the issue. As a temporary workaround, consider restricting access to the log view page to minimize the risk of exploitation. Avoid using user-provided input in the message variable until the issue is resolved.