CVE-2017-5367Cross-site Scripting in Zoneminder

CWE-79Cross-site Scripting4 documents4 sources
Severity
6.1MEDIUMNVD
EPSS
0.5%
top 34.33%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
ZoneminderDebian Zoneminder
Timeline
PublishedFeb 6
Latest updateMay 17

Description

Multiple reflected XSS vulnerabilities exist within form and link input parameters of ZoneMinder v1.30 and v1.29, an open-source CCTV server web application, which allows a remote attacker to execute malicious scripts within an authenticated client's browser. The URL is /zm/index.php and sample parameters could include action=login&view=postlogin[XSS] view=console[XSS] view=groups[XSS] view=events&filter[terms][1][cnj]=and[XSS] view=events&filter%5Bterms%5D%5B1%5D%5Bcnj%5D=and[XSS] view=events&f

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages3 packages

debiandebian/zoneminder< zoneminder 1.30.4+dfsg-1 (bookworm)
Debianzoneminder/zoneminder< 1.30.4+dfsg-1+3
NVDzoneminder/zoneminder1.29.0, 1.30.0+1

🔴Vulnerability Details

2
GHSA
GHSA-84wq-hwp8-vwxc: Multiple reflected XSS vulnerabilities exist within form and link input parameters of ZoneMinder v12022-05-17
OSV
CVE-2017-5367: Multiple reflected XSS vulnerabilities exist within form and link input parameters of ZoneMinder v12017-02-06

📋Vendor Advisories

1
Debian
CVE-2017-5367: zoneminder - Multiple reflected XSS vulnerabilities exist within form and link input paramete...2017