CVE-2019-7340

Name of the Vulnerable Software and Affected Versions ZoneMinder versions prior to 1.32.4

Description A Cross Site Scripting (XSS) issue exists, allowing an attacker to execute HTML or JavaScript code via a vulnerable filter[Query][terms][0][val] parameter value in the "view filter" (filter.php) because proper filtration is omitted.

Recommendations For ZoneMinder versions prior to 1.32.4, update to version 1.32.4 or later to resolve the issue. As a temporary workaround, consider restricting access to the filter.php endpoint until a patch is available. Avoid using the filter[Query][terms][0][val] parameter in the affected API endpoint until the issue is resolved.