Source: zoneminder
Version: 1.36.26+dfsg1-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>

Hi,

The following vulnerabilities were published for zoneminder.

CVE-2022-39285[0]:
| ZoneMinder is a free, open source Closed-circuit television software
| application The file parameter is vulnerable to a cross site scripting
| vulnerability (XSS) by backing out of the current "tr" "td" brackets.
| This then allows a malicious user to provide code that will execute
| when a user views the specific log on the "view=log" page. This
| vulnerability allows an attacker to store code within the logs that
| will be executed when loaded by a legitimate user. These actions will
| be performed with the permission of the victim. This could lead to
| data loss and/or further exploitation including account takeover. This
| issue has been addressed in versions `1.36.27` and `1.37.24`. Users
| are advised to upgrade. Users unable to upgrade should disable
| database logging.


CVE-2022-39289[1]:
| ZoneMinder is a free, open source Closed-circuit television software
| application. In affected versions the ZoneMinder API Exposes Database
| Log contents to user without privileges, allows insertion,
| modification, deletion of logs without System Privileges. Users are
| advised yo upgrade as soon as possible. Users unable to upgrade should
| disable database logging.


CVE-2022-39290[2]:
| ZoneMinder is a free, open source Closed-circuit television software
| application. In affected versions authenticated users can bypass CSRF
| keys by modifying the request supplied to the Zoneminder web
| application. These modifications include replacing HTTP POST with an
| HTTP GET and removing the CSRF key from the request. An attacker can
| take advantage of this by using an HTTP GET request to perform actions
| with no CSRF protection. This could allow an attacker to cause an
| authenticated user to perform unexpected actions on the web
| application. Users are advised to upgrade as soon as possible. There
| are no known workarounds for this issue.


CVE-2022-39291[3]:
| ZoneMinder is a free, open source Closed-circuit television software
| application. Affected versions of zoneminder are subject to a
| vulnerability which allows users with "View" system permissions to
| inject new data into the logs stored by Zoneminder. This was observed
| through an HTTP POST request containing log information to the
| "/zm/index.php" endpoint. Submission is not rate controlled and could
| affect database performance and/or consume all storage resources.
| Users are advised to upgrade. There are no known workarounds for this
| issue.


If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2022-39285
    https://www.cve.org/CVERecord?id=CVE-2022-39285
[1] https://security-tracker.debian.org/tracker/CVE-2022-39289
    https://www.cve.org/CVERecord?id=CVE-2022-39289
[2] https://security-tracker.debian.org/tracker/CVE-2022-39290
    https://www.cve.org/CVERecord?id=CVE-2022-39290
[3] https://security-tracker.debian.org/tracker/CVE-2022-39291
    https://www.cve.org/CVERecord?id=CVE-2022-39291

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

Reply via email to