CVE-2022-39290
published 2022-10-07CVE-2022-39290: ZoneMinder is a free, open source Closed-circuit television software application. In affected versions authenticated users can bypass CSRF keys by modifying…
PriorityP277medium6.5CVSS 3.1
AVNACLPRNUIRSUCNIHAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
5.44%
91.7th percentile
ZoneMinder is a free, open source Closed-circuit television software application. In affected versions authenticated users can bypass CSRF keys by modifying the request supplied to the Zoneminder web application. These modifications include replacing HTTP POST with an HTTP GET and removing the CSRF key from the request. An attacker can take advantage of this by using an HTTP GET request to perform actions with no CSRF protection. This could allow an attacker to cause an authenticated user to perform unexpected actions on the web application. Users are advised to upgrade as soon as possible. There are no known workarounds for this issue.
Affected
7 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | zoneminder | < zoneminder 1.36.31+dfsg1-1 (bookworm) | zoneminder 1.36.31+dfsg1-1 (bookworm) |
| zoneminder | zoneminder | < 1.36.27 | 1.36.27 |
| zoneminder | zoneminder | < 1.37.24 | 1.37.24 |
| zoneminder | zoneminder | — | — |
| zoneminder | zoneminder | >= 0 < 1.36.31+dfsg1-1 | 1.36.31+dfsg1-1 |
| zoneminder | zoneminder | >= 0 < 1.36.31+dfsg1-1 | 1.36.31+dfsg1-1 |
| zoneminder | zoneminder | >= 0 < 1.36.31+dfsg1-1 | 1.36.31+dfsg1-1 |
Detection & IOCsextracted from sources · hover to see the quote
commandview=request&request=log&task=create&level=ERR&message=<payload>&browser[name]=Firefox&browser[version]=91.0&browser[platform]=UNIX&file=<url>&line=105↗
- →Detect CSRF bypass: monitor for HTTP GET requests to /zm/index.php with action-oriented parameters (e.g., action=login, view=request, task=create) that would normally require HTTP POST with a CSRF token. ↗
- →Alert on POST requests to /zm/index.php where the __csrf_magic parameter is absent or where the request method has been switched to GET for state-changing operations (view=request, task=create). ↗
- →Detect log injection attempts: look for POST requests to /zm/index.php with parameters request=log, task=create, and level=ERR combined with a file parameter containing a URL-encoded HTTP URL (e.g., http%3A%2F%2F). ↗
- →Monitor for rapid repeated POST requests (approximately 1-second intervals) to /zm/index.php with XSS log injection payloads, indicative of the exploit's while-True loop behavior. ↗
- →Flag sessions where a ZMSESSID cookie is used to first GET /zm/index.php?view=filter to harvest a csrfMagicToken, immediately followed by a POST to /zm/index.php with log injection data — a pattern consistent with this exploit chain. ↗
- →ZoneMinder versions up to and including v1.36.26 are vulnerable; flag unpatched instances (fixed in 1.36.31+dfsg1-1). ↗
- ·The exploit requires an authenticated (low-privilege) session; unauthenticated exploitation is not possible. Detection should focus on authenticated sessions performing unexpected GET-based state-changing actions. ↗
- ·The PoC hardcodes a ZMSESSID cookie value (f1neru6bq6bfddl7snpjqo6ss2) in the initial login request; this specific value should not be treated as a reliable IOC as it is replaced dynamically during exploitation. ↗
- ·This CVE is related to CVE-2022-39285 and CVE-2022-39291; the CSRF bypass (CVE-2022-39290) is used as a prerequisite to achieve stored XSS via log injection. Detection rules should account for the chained nature of these vulnerabilities. ↗
CVSS provenance
nvdv3.16.5MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
osv6.5MEDIUM
vulncheck8.0HIGH
vendor_debian8.0LOW
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
ZoneMinder HTTP GET Request cross-site request forgery (GHSA-xgv6-qv6c-399q / EUVD-2022-41788)
vuldb·2026-06-29·CVSS 6.5
CVE-2022-39290 [MEDIUM] ZoneMinder HTTP GET Request cross-site request forgery (GHSA-xgv6-qv6c-399q / EUVD-2022-41788)
A vulnerability has been found in ZoneMinder and classified as problematic. This affects an unknown function of the component HTTP GET Request Handler. Performing a manipulation results in cross-site request forgery.
This vulnerability is cataloged as CVE-2022-39290. It is possible to initiate the attack remotely. Furthermore, there is an exploit available.
To fix this issue, it is recommended to deploy a patch.
OSV
CVE-2022-39290: ZoneMinder is a free, open source Closed-circuit television software application
osv·2022-10-07·CVSS 6.5
CVE-2022-39290 [MEDIUM] CVE-2022-39290: ZoneMinder is a free, open source Closed-circuit television software application
ZoneMinder is a free, open source Closed-circuit television software application. In affected versions authenticated users can bypass CSRF keys by modifying the request supplied to the Zoneminder web application. These modifications include replacing HTTP POST with an HTTP GET and removing the CSRF key from the request. An attacker can take advantage of this by using an HTTP GET request to perform actions with no CSRF protection. This could allow an attacker to cause an authenticated user to perform unexpected actions on the web application. Users are advised to upgrade as soon as possible. There are no known workarounds for this issue.
VulnCheck
zoneminder zoneminder Improper Authentication
vulncheck·2022·CVSS 8.0
CVE-2022-39290 [HIGH] zoneminder zoneminder Improper Authentication
zoneminder zoneminder Improper Authentication
ZoneMinder is a free, open source Closed-circuit television software application. In affected versions authenticated users can bypass CSRF keys by modifying the request supplied to the Zoneminder web application. These modifications include replacing HTTP POST with an HTTP GET and removing the CSRF key from the request. An attacker can take advantage of this by using an HTTP GET request to perform actions with no CSRF protection. This could allow an attacker to cause an authenticated user to perform unexpected actions on the web application. Users are advised to upgrade as soon as possible. There are no known workarounds for this issue.
Affected: zoneminder zoneminder
Required Action: Apply remediations or mitigations per vendor instructions
Debian
CVE-2022-39290: zoneminder - ZoneMinder is a free, open source Closed-circuit television software application...
vendor_debian·2022·CVSS 8.0
CVE-2022-39290 [HIGH] CVE-2022-39290: zoneminder - ZoneMinder is a free, open source Closed-circuit television software application...
ZoneMinder is a free, open source Closed-circuit television software application. In affected versions authenticated users can bypass CSRF keys by modifying the request supplied to the Zoneminder web application. These modifications include replacing HTTP POST with an HTTP GET and removing the CSRF key from the request. An attacker can take advantage of this by using an HTTP GET request to perform actions with no CSRF protection. This could allow an attacker to cause an authenticated user to perform unexpected actions on the web application. Users are advised to upgrade as soon as possible. There are no known workarounds for this issue.
Scope: local
bookworm: resolved (fixed in 1.36.31+dfsg1-1)
bullseye: open
forky: resolved (fixed in 1.36.31+dfsg1-1)
sid: resolved (fixed in 1.36.31+dfsg1-
No detection rules found.
No writeups or analysis indexed.
http://packetstormsecurity.com/files/171498/Zoneminder-Log-Injection-XSS-Cross-Site-Request-Forgery.htmlhttps://github.com/ZoneMinder/zoneminder/commit/c0a4c05e84eea0f6ccf7169c014efe5422c9ba0dhttps://github.com/ZoneMinder/zoneminder/security/advisories/GHSA-xgv6-qv6c-399qhttp://packetstormsecurity.com/files/171498/Zoneminder-Log-Injection-XSS-Cross-Site-Request-Forgery.htmlhttps://github.com/ZoneMinder/zoneminder/commit/c0a4c05e84eea0f6ccf7169c014efe5422c9ba0dhttps://github.com/ZoneMinder/zoneminder/security/advisories/GHSA-xgv6-qv6c-399q
2022-10-07
Published
Exploited in the wild