Source: zoneminder Version: 1.36.26+dfsg1-1 Severity: important Tags: security upstream X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi, The following vulnerabilities were published for zoneminder. CVE-2022-39285[0]: | ZoneMinder is a free, open source Closed-circuit television software | application The file parameter is vulnerable to a cross site scripting | vulnerability (XSS) by backing out of the current "tr" "td" brackets. | This then allows a malicious user to provide code that will execute | when a user views the specific log on the "view=log" page. This | vulnerability allows an attacker to store code within the logs that | will be executed when loaded by a legitimate user. These actions will | be performed with the permission of the victim. This could lead to | data loss and/or further exploitation including account takeover. This | issue has been addressed in versions `1.36.27` and `1.37.24`. Users | are advised to upgrade. Users unable to upgrade should disable | database logging. CVE-2022-39289[1]: | ZoneMinder is a free, open source Closed-circuit television software | application. In affected versions the ZoneMinder API Exposes Database | Log contents to user without privileges, allows insertion, | modification, deletion of logs without System Privileges. Users are | advised yo upgrade as soon as possible. Users unable to upgrade should | disable database logging. CVE-2022-39290[2]: | ZoneMinder is a free, open source Closed-circuit television software | application. In affected versions authenticated users can bypass CSRF | keys by modifying the request supplied to the Zoneminder web | application. These modifications include replacing HTTP POST with an | HTTP GET and removing the CSRF key from the request. An attacker can | take advantage of this by using an HTTP GET request to perform actions | with no CSRF protection. This could allow an attacker to cause an | authenticated user to perform unexpected actions on the web | application. Users are advised to upgrade as soon as possible. There | are no known workarounds for this issue. CVE-2022-39291[3]: | ZoneMinder is a free, open source Closed-circuit television software | application. Affected versions of zoneminder are subject to a | vulnerability which allows users with "View" system permissions to | inject new data into the logs stored by Zoneminder. This was observed | through an HTTP POST request containing log information to the | "/zm/index.php" endpoint. Submission is not rate controlled and could | affect database performance and/or consume all storage resources. | Users are advised to upgrade. There are no known workarounds for this | issue. If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2022-39285 https://www.cve.org/CVERecord?id=CVE-2022-39285 [1] https://security-tracker.debian.org/tracker/CVE-2022-39289 https://www.cve.org/CVERecord?id=CVE-2022-39289 [2] https://security-tracker.debian.org/tracker/CVE-2022-39290 https://www.cve.org/CVERecord?id=CVE-2022-39290 [3] https://security-tracker.debian.org/tracker/CVE-2022-39291 https://www.cve.org/CVERecord?id=CVE-2022-39291 Please adjust the affected versions in the BTS as needed. Regards, Salvatore

