Public exploit available

Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2022-39285 — Cross-site Scripting in Zoneminder

CWE-79 — Cross-site Scripting4 documents4 sources

Severity

5.4MEDIUMNVD

EPSS

1.9%

top 16.96%

CISA KEV

Not in KEV

Exploit

PoC available

Public exploit / PoC exists

Affected products

Zoneminder Debian Zoneminder

Timeline

PublishedOct 7

Latest updateMar 27

Description

ZoneMinder is a free, open source Closed-circuit television software application The file parameter is vulnerable to a cross site scripting vulnerability (XSS) by backing out of the current "tr" "td" brackets. This then allows a malicious user to provide code that will execute when a user views the specific log on the "view=log" page. This vulnerability allows an attacker to store code within the logs that will be executed when loaded by a legitimate user. These actions will be performed with th…

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:NExploitability: 2.3 | Impact: 2.7

Affected Packages4 packages

▶debiandebian/zoneminder< zoneminder 1.36.31+dfsg1-1 (bookworm)

▶NVDzoneminder/zoneminder< 1.36.27+1

▶Debianzoneminder/zoneminder< 1.36.31+dfsg1-1+2

▶CVEListV5zoneminder/zoneminder>= 1.37.0, < 1.37.24

Patches

Patch: github.com ↗Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

OSV

CVE-2022-39285: ZoneMinder is a free, open source Closed-circuit television software application The file parameter is vulnerable to a cross site scripting vulnerabil↗2022-10-07

▶

💥Exploits & PoCs

Exploit-DB

Zoneminder < v1.37.24 - Log Injection & Stored XSS & CSRF Bypass↗2023-03-27

▶

📋Vendor Advisories

Debian

CVE-2022-39285: zoneminder - ZoneMinder is a free, open source Closed-circuit television software application...↗2022

▶