CVE-2022-30768 — Cross-site Scripting in Zoneminder

CWE-79 — Cross-site Scripting4 documents4 sources

Severity

5.4MEDIUMNVD

OSV6.1

EPSS

0.2%

top 57.68%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Zoneminder Debian Zoneminder

Timeline

PublishedNov 15

Latest updateNov 16

Description

A Stored Cross Site Scripting (XSS) issue in ZoneMinder 1.36.12 allows an attacker to execute HTML or JavaScript code via the Username field when an Admin (or non-Admin users that can see other users logged into the platform) clicks on Logout. NOTE: this exists in later versions than CVE-2019-7348 and requires a different attack method.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:NExploitability: 2.3 | Impact: 2.7

Affected Packages2 packages

▶debiandebian/zoneminder

▶NVDzoneminder/zoneminder1.36.12

🔴Vulnerability Details

GHSA

GHSA-mjxc-g8h2-2g9g: A Stored Cross Site Scripting (XSS) issue in ZoneMinder 1↗2022-11-16

▶

OSV

CVE-2022-30768: A Stored Cross Site Scripting (XSS) issue in ZoneMinder 1↗2022-11-15

▶

📋Vendor Advisories

Debian

CVE-2022-30768: zoneminder - A Stored Cross Site Scripting (XSS) issue in ZoneMinder 1.36.12 allows an attack...↗2022

▶