Multiple vulnerabilities in ZoneMinder
| Risk | High |
| Patch available | YES |
| Number of vulnerabilities | 4 |
| CVE-ID | CVE-2022-39285 CVE-2022-39289 CVE-2022-39291 CVE-2022-39290 |
| CWE-ID | CWE-79 CWE-254 CWE-20 CWE-352 |
| Exploitation vector | Network |
| Public exploit |
Public exploit code for vulnerability #1 is available. Public exploit code for vulnerability #3 is available. Public exploit code for vulnerability #4 is available. |
| Vulnerable software |
ZoneMinder Other software / Other software solutions |
| Vendor | ZoneMinder.com |
Security Bulletin
This security bulletin contains information about 4 vulnerabilities.
1) Stored cross-site scripting
EUVDB-ID: #VU68386
Risk: Low
CVSSv4.0: 2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:P/U:Clear]
CVE-ID: CVE-2022-39285
CWE-ID:
CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Exploit availability: Yes
DescriptionThe disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data in the file parameter. A remote user can inject and execute arbitrary HTML and script code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
MitigationInstall updates from vendor's website.
Vulnerable software versionsZoneMinder: 1.36.26 - 1.37.23
CPE2.3- cpe:2.3:a:zoneminder_com:zoneminder:*:*:*:*:*:*:*:*
- cpe:2.3:a:zoneminder_com:zoneminder:1.36.26:*:*:*:*:*:*:*
- cpe:2.3:a:zoneminder_com:zoneminder:1.37.23:*:*:*:*:*:*:*
https://github.com/ZoneMinder/zoneminder/commit/c0a4c05e84eea0f6ccf7169c014efe5422c9ba0d
https://github.com/ZoneMinder/zoneminder/commit/d289eb48601a76e34feea3c1683955337b1fae59
https://github.com/ZoneMinder/zoneminder/security/advisories/GHSA-h6xp-cvwv-q433
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
2) Security features bypass
EUVDB-ID: #VU68392
Risk: High
CVSSv4.0: 8 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2022-39289
CWE-ID:
CWE-254 - Security Features
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise the target system.
The vulnerability exists due to a flaw in which the API exposes database log contents to user without privileges. A remote attacker can bypass security restrictions and insert, modify or delete log files.
MitigationInstall updates from vendor's website.
Vulnerable software versionsZoneMinder: 1.36.26 - 1.37.23
CPE2.3- cpe:2.3:a:zoneminder_com:zoneminder:*:*:*:*:*:*:*:*
- cpe:2.3:a:zoneminder_com:zoneminder:1.36.26:*:*:*:*:*:*:*
- cpe:2.3:a:zoneminder_com:zoneminder:1.37.23:*:*:*:*:*:*:*
https://github.com/ZoneMinder/zoneminder/commit/34ffd92bf123070cab6c83ad4cfe6297dd0ed0b4
https://github.com/ZoneMinder/zoneminder/security/advisories/GHSA-mpcx-3gvh-9488
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Input validation error
EUVDB-ID: #VU68391
Risk: Low
CVSSv4.0: 2.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/U:Clear]
CVE-ID: CVE-2022-39291
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: Yes
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to insufficient validation of user-supplied input in the /zm/index.php endpoint. A remote user can pass specially crafted input to the application and perform a denial of service (DoS) attack.
MitigationInstall updates from vendor's website.
Vulnerable software versionsZoneMinder: 1.36.26 - 1.37.23
CPE2.3- cpe:2.3:a:zoneminder_com:zoneminder:*:*:*:*:*:*:*:*
- cpe:2.3:a:zoneminder_com:zoneminder:1.36.26:*:*:*:*:*:*:*
- cpe:2.3:a:zoneminder_com:zoneminder:1.37.23:*:*:*:*:*:*:*
https://github.com/ZoneMinder/zoneminder/commit/34ffd92bf123070cab6c83ad4cfe6297dd0ed0b4
https://github.com/ZoneMinder/zoneminder/commit/cb3fc5907da21a5111ae54128a5d0b49ae755e9b
https://github.com/ZoneMinder/zoneminder/commit/de2866f9574a2bf2690276fad53c91d607825408
https://github.com/ZoneMinder/zoneminder/security/advisories/GHSA-cfcx-v52x-jh74
https://github.com/ZoneMinder/zoneminder/commit/73d9f2482cdcb238506388798d3cf92546f9e40c
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
4) Cross-site request forgery
EUVDB-ID: #VU68388
Risk: Low
CVSSv4.0: 1.9 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/U:Clear]
CVE-ID: CVE-2022-39290
CWE-ID:
CWE-352 - Cross-Site Request Forgery (CSRF)
Exploit availability: Yes
DescriptionThe vulnerability allows a remote attacker to perform cross-site request forgery attacks.
The vulnerability exists due to insufficient validation of the HTTP request origin. A remote user can trick the victim to visit a specially crafted web page and perform arbitrary actions on behalf of the victim on the vulnerable website.
MitigationInstall update from vendor's website.
Vulnerable software versionsZoneMinder: 1.36.26 - 1.37.23
CPE2.3- cpe:2.3:a:zoneminder_com:zoneminder:*:*:*:*:*:*:*:*
- cpe:2.3:a:zoneminder_com:zoneminder:1.36.26:*:*:*:*:*:*:*
- cpe:2.3:a:zoneminder_com:zoneminder:1.37.23:*:*:*:*:*:*:*
https://github.com/ZoneMinder/zoneminder/security/advisories/GHSA-xgv6-qv6c-399q
https://github.com/ZoneMinder/zoneminder/commit/c0a4c05e84eea0f6ccf7169c014efe5422c9ba0d
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
