Loginsoft-Research

**Name of the Vulnerable Software and Affected Versions** Xpdf version 4.0.0 pdfalto version 0.2 **Description** The issue is related to an invalid memory access in the `GfxIndexedColorSpace::mapColorToBase()` function, located in `GfxState.cc`. This can be triggered by sending a crafted pdf file to the `pdftops` binary, potentially allowing an attacker to cause a Denial of Service (Segmentation fault) or have other unspecified impacts. **Recommendations** For Xpdf version 4.0.0, consider restricting access to the `pdftops` binary until a fix is available. For pdfalto version 0.2, avoid using the `pdftops` binary with untrusted pdf files until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** ZoneMinder versions prior to 1.32.4 **Description** A Reflected Cross Site Scripting (XSS) issue exists due to insecure utilization of the `$ REQUEST['PHP SELF']` variable in multiple views under web/skins/classic/views, without proper filtration. **Recommendations** For ZoneMinder versions prior to 1.32.4, update to version 1.32.4 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** ZoneMinder versions prior to 1.32.4 **Description** A Self-Stored Cross Site Scripting (XSS) issue exists, allowing an attacker to execute HTML or JavaScript code via a vulnerable `Host` parameter value in the view console (console.php), specifically the index.php?view=monitor `Host Name` field, due to omitted proper filtration. **Recommendations** For ZoneMinder versions prior to 1.32.4, update to version 1.32.4 or later to resolve the issue. As a temporary workaround, consider restricting access to the console.php endpoint until a patch is available. Avoid using the `Host Name` field in the index.php?view=monitor page with untrusted input until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** ZoneMinder versions prior to 1.32.4 **Description** A Reflected Cross Site Scripting issue exists, allowing an attacker to execute HTML or JavaScript code via a vulnerable `scale` parameter value in the "frame.php" file, due to omitted proper filtration. **Recommendations** For ZoneMinder versions prior to 1.32.4, update to version 1.32.4 or later to resolve the issue. As a temporary workaround, consider restricting access to the "frame.php" file or avoiding the use of the `scale` parameter until a patch is available.

**Name of the Vulnerable Software and Affected Versions** ZoneMinder versions prior to 1.32.4 **Description** A Reflected Cross Site Scripting (XSS) issue exists due to the insecure use of $ SERVER['PHP SELF'] in the form action on multiple views. This mishandles arbitrary input appended to the webroot URL, leading to XSS, as there is no proper filtration of the input. **Recommendations** For versions prior to 1.32.4, update to version 1.32.4 or later to resolve the issue. As a temporary workaround, consider implementing proper input filtration for the $ SERVER['PHP SELF'] variable to prevent XSS attacks.

**Name of the Vulnerable Software and Affected Versions** ZoneMinder versions prior to 1.32.4 **Description** A Self-Stored Cross Site Scripting (XSS) issue exists when editing an existing monitor field named "signal check color" in monitor.php. The lack of input validation and output filtration makes it vulnerable to HTML Injection and an XSS attack. **Recommendations** For ZoneMinder versions prior to 1.32.4, update to version 1.32.4 or later to resolve the issue. As a temporary workaround, consider restricting access to the monitor.php page, specifically the "signal check color" field, until a patch is applied. Avoid using the vulnerable field until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** ZoneMinder versions prior to 1.32.4 **Description** A Reflected Cross Site Scripting issue exists, allowing an attacker to execute HTML or JavaScript code via a vulnerable `eid` parameter value in the "download.php" API endpoint, due to omitted proper filtration. **Recommendations** For ZoneMinder versions prior to 1.32.4, update to version 1.32.4 or later to resolve the issue. As a temporary workaround, consider restricting access to the download.php endpoint to minimize the risk of exploitation. Avoid using the `eid` parameter in the download.php endpoint until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** ZoneMinder versions prior to 1.32.4 **Description** A Reflected Cross Site Scripting issue exists, allowing an attacker to execute HTML or JavaScript code via a vulnerable `Exportfile` parameter value in the "view export" functionality, specifically in the export.php file, due to omitted proper filtration. **Recommendations** For ZoneMinder versions prior to 1.32.4, update to version 1.32.4 or later to resolve the issue. As a temporary workaround, consider restricting access to the export.php file or avoiding the use of the `Exportfile` parameter until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** ZoneMinder versions prior to 1.32.4 **Description** A Reflected Cross Site Scripting (XSS) issue exists due to the insecure display of the `limit` parameter value in the 'events' view (events.php) without proper output filtration. This is caused by the `sortHeader()` function in functions.php, which returns the value of the `limit` query string parameter without applying any filtration. **Recommendations** For ZoneMinder versions prior to 1.32.4, consider disabling the `sortHeader()` function in functions.php until a patch is available, or restrict access to the 'events' view (events.php) to minimize the risk of exploitation. Avoid using the `limit` parameter in the affected view until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** ZoneMinder versions prior to 1.32.4 **Description** A Self-Stored XSS issue exists, allowing an attacker to execute HTML or JavaScript code in the 'group' view. This occurs because the 'Group Name' value is printed on the web page without proper filtration, enabling the execution of malicious code. **Recommendations** For ZoneMinder versions prior to 1.32.4, update to version 1.32.4 or later to resolve the issue. As a temporary workaround, consider disabling the printing of the 'Group Name' value in the 'group' view until a patch is available. Restrict access to the 'group' view to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** ZoneMinder versions prior to 1.32.4 **Description** A Cross Site Scripting (XSS) issue exists, allowing an attacker to execute HTML or JavaScript code via a vulnerable `level` parameter value in the "view log" page, which is accessed through the "log.php" endpoint, due to omitted proper filtration. **Recommendations** For ZoneMinder versions prior to 1.32.4, update to version 1.32.4 or later to resolve the issue. As a temporary workaround, consider restricting access to the "log.php" endpoint to minimize the risk of exploitation. Avoid using the `level` parameter in the affected endpoint until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** ZoneMinder versions prior to 1.32.4 **Description** A Cross Site Scripting (XSS) issue exists, allowing an attacker to execute HTML or JavaScript code via a vulnerable `filter[Query][terms][0][val]` parameter value in the "view filter" (filter.php) because proper filtration is omitted. **Recommendations** For ZoneMinder versions prior to 1.32.4, update to version 1.32.4 or later to resolve the issue. As a temporary workaround, consider restricting access to the filter.php endpoint until a patch is available. Avoid using the `filter[Query][terms][0][val]` parameter in the affected API endpoint until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** ZoneMinder versions prior to 1.32.4 **Description** A Cross Site Scripting (XSS) issue exists, allowing an attacker to execute HTML or JavaScript code via a vulnerable `filter[AutoExecuteCmd]` parameter value in the view filter (filter.php) because proper filtration is omitted. **Recommendations** For ZoneMinder versions prior to 1.32.4, update to version 1.32.4 or later to resolve the issue. As a temporary workaround, consider restricting access to the filter.php endpoint to minimize the risk of exploitation. Avoid using the `filter[AutoExecuteCmd]` parameter in the affected API endpoint until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** ZoneMinder versions prior to 1.33 **Description** A Self-Stored Cross Site Scripting (XSS) issue exists due to the lack of input validation for the `WEB TITLE`, `HOME URL`, `HOME CONTENT`, or `WEB CONSOLE BANNER` values in the 'options' view (options.php), allowing an attacker to execute HTML or JavaScript code. This issue relates to the `functions.php` file. **Recommendations** For ZoneMinder versions prior to 1.33, update to a version that includes input validation for the `WEB TITLE`, `HOME URL`, `HOME CONTENT`, and `WEB CONSOLE BANNER` values to prevent XSS attacks. As a temporary workaround, consider restricting access to the 'options' view (options.php) until a patch is available.

**Name of the Vulnerable Software and Affected Versions** ZoneMinder versions prior to 1.32.4 **Description** A CSRF check issue exists, allowing a CSRF attack to be successful. Whenever a CSRF check fails, a callback function is called, displaying a "Try again" button. This button allows resending the failed request, thus making the CSRF attack successful. **Recommendations** For ZoneMinder versions prior to 1.32.4, update to version 1.32.4 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** ZoneMinder versions prior to 1.32.4 **Description** A Time-of-check Time-of-use (TOCTOU) Race Condition issue exists, allowing a nonexistent user to access and modify records, such as adding or deleting Monitors and Users, because a session remains active for an authenticated user even after their deletion from the users table. **Recommendations** For ZoneMinder versions prior to 1.32.4, update to version 1.32.4 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** ZoneMinder versions prior to 1.32.3 **Description** The issue allows an attacker to execute HTML or JavaScript code via a vulnerable `username` parameter value in the user view (user.php) due to omitted proper filtration, leading to a persistent cross-site scripting (XSS) condition. **Recommendations** For versions prior to 1.32.3, update to version 1.32.3 or later to resolve the issue. As a temporary workaround, consider restricting access to the user.php view until a patch is applied. Avoid using the `username` parameter in the affected user.php endpoint until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** ZoneMinder versions prior to 1.33 **Description** A Reflected Cross Site Scripting issue exists, allowing an attacker to execute HTML or JavaScript code via a vulnerable `newMonitor[V4LCapturesPerFrame]` parameter value in the "view monitor" page, specifically in the monitor.php file, due to omitted proper filtration. **Recommendations** For ZoneMinder versions prior to 1.33, update to version 1.33 or later to resolve the issue. As a temporary workaround, consider restricting access to the monitor.php page or avoiding the use of the `newMonitor[V4LCapturesPerFrame]` parameter until a patch is available.

**Name of the Vulnerable Software and Affected Versions** ZoneMinder versions prior to 1.32.3 **Description** The issue is related to a stack-based buffer overflow in the `zmLoadUser()` function, which can be exploited by a remote attacker to execute arbitrary code or cause a denial of service. This is a classic stack-based buffer overflow vulnerability. **Recommendations** For ZoneMinder versions prior to 1.32.3, update to a version that contains a fix for this issue to prevent exploitation. As a temporary workaround, consider restricting access to the `zmLoadUser()` function until a patch is available.

**Name of the Vulnerable Software and Affected Versions** ZoneMinder versions prior to 1.32.3 **Description** A stored-self XSS issue exists, allowing an attacker to execute HTML or JavaScript code in a vulnerable field via a crafted Zone NAME to the "index.php?view=zones&action=zoneImage&mid=1" URI. **Recommendations** For versions prior to 1.32.3, update to a version that contains a fix for this issue.