CVE-2019-7348

Name of the Vulnerable Software and Affected Versions ZoneMinder versions prior to 1.32.3

Description The issue allows an attacker to execute HTML or JavaScript code via a vulnerable username parameter value in the user view (user.php) due to omitted proper filtration, leading to a persistent cross-site scripting (XSS) condition.

Recommendations For versions prior to 1.32.3, update to version 1.32.3 or later to resolve the issue. As a temporary workaround, consider restricting access to the user.php view until a patch is applied. Avoid using the username parameter in the affected user.php endpoint until the issue is resolved.