CVE-2022-39285
published 2022-10-07CVE-2022-39285: ZoneMinder is a free, open source Closed-circuit television software application The file parameter is vulnerable to a cross site scripting vulnerability (XSS)…
PriorityP434medium5.4CVSS 3.1
AVNACLPRLUIRSCCLILAN
EXPLOIT
EPSS
3.69%
88.3th percentile
ZoneMinder is a free, open source Closed-circuit television software application The file parameter is vulnerable to a cross site scripting vulnerability (XSS) by backing out of the current "tr" "td" brackets. This then allows a malicious user to provide code that will execute when a user views the specific log on the "view=log" page. This vulnerability allows an attacker to store code within the logs that will be executed when loaded by a legitimate user. These actions will be performed with the permission of the victim. This could lead to data loss and/or further exploitation including account takeover. This issue has been addressed in versions `1.36.27` and `1.37.24`. Users are advised to upgrade. Users unable to upgrade should disable database logging.
Affected
7 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | zoneminder | < zoneminder 1.36.31+dfsg1-1 (bookworm) | zoneminder 1.36.31+dfsg1-1 (bookworm) |
| zoneminder | zoneminder | < 1.36.27 | 1.36.27 |
| zoneminder | zoneminder | < 1.37.24 | 1.37.24 |
| zoneminder | zoneminder | — | — |
| zoneminder | zoneminder | >= 0 < 1.36.31+dfsg1-1 | 1.36.31+dfsg1-1 |
| zoneminder | zoneminder | >= 0 < 1.36.31+dfsg1-1 | 1.36.31+dfsg1-1 |
| zoneminder | zoneminder | >= 0 < 1.36.31+dfsg1-1 | 1.36.31+dfsg1-1 |
CVSS provenance
nvdv3.15.4MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
osv5.4MEDIUM
vendor_debian7.6LOW
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Debian
CVE-2022-39285: zoneminder - ZoneMinder is a free, open source Closed-circuit television software application...
vendor_debian·2022·CVSS 7.6
CVE-2022-39285 [HIGH] CVE-2022-39285: zoneminder - ZoneMinder is a free, open source Closed-circuit television software application...
ZoneMinder is a free, open source Closed-circuit television software application The file parameter is vulnerable to a cross site scripting vulnerability (XSS) by backing out of the current "tr" "td" brackets. This then allows a malicious user to provide code that will execute when a user views the specific log on the "view=log" page. This vulnerability allows an attacker to store code within the logs that will be executed when loaded by a legitimate user. These actions will be performed with the permission of the victim. This could lead to data loss and/or further exploitation including account takeover. This issue has been addressed in versions `1.36.27` and `1.37.24`. Users are advised to upgrade. Users unable to upgrade should disable database logging.
Scope: local
bookworm: resolved (
VulDB
ZoneMinder prior 1.36.27/1.37.24 Log File cross site scripting (GHSA-h6xp-cvwv-q433 / EUVD-2022-41786)
vuldb·2026-06-29·CVSS 5.4
CVE-2022-39285 [MEDIUM] ZoneMinder prior 1.36.27/1.37.24 Log File cross site scripting (GHSA-h6xp-cvwv-q433 / EUVD-2022-41786)
A vulnerability categorized as problematic has been discovered in ZoneMinder. This affects an unknown part of the component Log Handler. Such manipulation of the argument File leads to cross site scripting.
This vulnerability is traded as CVE-2022-39285. The attack may be launched remotely. Furthermore, there is an exploit available.
It is advisable to upgrade the affected component.
OSV
CVE-2022-39285: ZoneMinder is a free, open source Closed-circuit television software application The file parameter is vulnerable to a cross site scripting vulnerabil
osv·2022-10-07·CVSS 5.4
CVE-2022-39285 [MEDIUM] CVE-2022-39285: ZoneMinder is a free, open source Closed-circuit television software application The file parameter is vulnerable to a cross site scripting vulnerabil
ZoneMinder is a free, open source Closed-circuit television software application The file parameter is vulnerable to a cross site scripting vulnerability (XSS) by backing out of the current "tr" "td" brackets. This then allows a malicious user to provide code that will execute when a user views the specific log on the "view=log" page. This vulnerability allows an attacker to store code within the logs that will be executed when loaded by a legitimate user. These actions will be performed with the permission of the victim. This could lead to data loss and/or further exploitation including account takeover. This issue has been addressed in versions `1.36.27` and `1.37.24`. Users are advised to upgrade. Users unable to upgrade should disable database logging.
No detection rules found.
No writeups or analysis indexed.
http://packetstormsecurity.com/files/171498/Zoneminder-Log-Injection-XSS-Cross-Site-Request-Forgery.htmlhttps://github.com/ZoneMinder/zoneminder/commit/c0a4c05e84eea0f6ccf7169c014efe5422c9ba0dhttps://github.com/ZoneMinder/zoneminder/commit/d289eb48601a76e34feea3c1683955337b1fae59https://github.com/ZoneMinder/zoneminder/security/advisories/GHSA-h6xp-cvwv-q433http://packetstormsecurity.com/files/171498/Zoneminder-Log-Injection-XSS-Cross-Site-Request-Forgery.htmlhttps://github.com/ZoneMinder/zoneminder/commit/c0a4c05e84eea0f6ccf7169c014efe5422c9ba0dhttps://github.com/ZoneMinder/zoneminder/commit/d289eb48601a76e34feea3c1683955337b1fae59https://github.com/ZoneMinder/zoneminder/security/advisories/GHSA-h6xp-cvwv-q433
2022-10-07
Published