CVE-2019-7326

Name of the Vulnerable Software and Affected Versions ZoneMinder versions prior to 1.32.4

Description A Self-Stored Cross Site Scripting (XSS) issue exists, allowing an attacker to execute HTML or JavaScript code via a vulnerable Host parameter value in the view console (console.php), specifically the index.php?view=monitor Host Name field, due to omitted proper filtration.

Recommendations For ZoneMinder versions prior to 1.32.4, update to version 1.32.4 or later to resolve the issue. As a temporary workaround, consider restricting access to the console.php endpoint until a patch is available. Avoid using the Host Name field in the index.php?view=monitor page with untrusted input until the issue is resolved.