PT-2019-18550 · Zoneminder+1 · Zoneminder+1

Loginsoft-Research

Published

2019-02-04

Updated

2020-02-17

CVE-2019-7345

CVSS v3.1

4.8

Medium

Vector

AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

Name of the Vulnerable Software and Affected Versions ZoneMinder versions prior to 1.33

Description A Self-Stored Cross Site Scripting (XSS) issue exists due to the lack of input validation for the WEB TITLE, HOME URL, HOME CONTENT, or WEB CONSOLE BANNER values in the 'options' view (options.php), allowing an attacker to execute HTML or JavaScript code. This issue relates to the functions.php file.

Recommendations For ZoneMinder versions prior to 1.33, update to a version that includes input validation for the WEB TITLE, HOME URL, HOME CONTENT, and WEB CONSOLE BANNER values to prevent XSS attacks. As a temporary workaround, consider restricting access to the 'options' view (options.php) until a patch is available.

Exploit

Fix

XSS

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-79

Related Identifiers

ALT-PU-2020-1092

ALT-PU-2020-1246

CVE-2019-7345

Affected Products

Alt Linux

Zoneminder

PT-2019-18550 · Zoneminder+1 · Zoneminder+1

CVE-2019-7345

Weakness Enumeration

Related Identifiers

Affected Products

References · 8