PT-2019-18542 · Zoneminder+1 · Zoneminder+1

Loginsoft-Research

Published

2019-02-04

Updated

2020-02-17

CVE-2019-7337

CVSS v3.1

4.8

Medium

Vector

AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

Name of the Vulnerable Software and Affected Versions ZoneMinder versions prior to 1.32.4

Description A Reflected Cross Site Scripting (XSS) issue exists due to the insecure display of the limit parameter value in the 'events' view (events.php) without proper output filtration. This is caused by the sortHeader() function in functions.php, which returns the value of the limit query string parameter without applying any filtration.

Recommendations For ZoneMinder versions prior to 1.32.4, consider disabling the sortHeader() function in functions.php until a patch is available, or restrict access to the 'events' view (events.php) to minimize the risk of exploitation. Avoid using the limit parameter in the affected view until the issue is resolved.

Exploit

Fix

XSS

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-79

Related Identifiers

ALT-PU-2020-1092

ALT-PU-2020-1246

CVE-2019-7337

Affected Products

Alt Linux

Zoneminder

PT-2019-18542 · Zoneminder+1 · Zoneminder+1

CVE-2019-7337

Weakness Enumeration

Related Identifiers

Affected Products

References · 8