PT-2019-18543 · Zoneminder+1 · Zoneminder+1

Loginsoft-Research

Published

2019-02-04

Updated

2020-02-17

CVE-2019-7338

CVSS v3.1

6.1

Medium

Vector

AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Name of the Vulnerable Software and Affected Versions ZoneMinder versions prior to 1.32.4

Description A Self-Stored XSS issue exists, allowing an attacker to execute HTML or JavaScript code in the 'group' view. This occurs because the 'Group Name' value is printed on the web page without proper filtration, enabling the execution of malicious code.

Recommendations For ZoneMinder versions prior to 1.32.4, update to version 1.32.4 or later to resolve the issue. As a temporary workaround, consider disabling the printing of the 'Group Name' value in the 'group' view until a patch is available. Restrict access to the 'group' view to minimize the risk of exploitation.

Exploit

Fix

XSS

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-79

Related Identifiers

ALT-PU-2020-1092

ALT-PU-2020-1246

CVE-2019-7338

Affected Products

Alt Linux

Zoneminder

PT-2019-18543 · Zoneminder+1 · Zoneminder+1

CVE-2019-7338

Weakness Enumeration

Related Identifiers

Affected Products

References · 8