Public exploit available

Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2022-39290 — Improper Authentication in Zoneminder

CWE-287 — Improper Authentication5 documents5 sources

Severity

6.5MEDIUMNVD

VulnCheck8.0

EPSS

4.0%

top 11.55%

CISA KEV

Not in KEV

Exploit

PoC available

Public exploit / PoC exists

Affected products

Zoneminder Debian Zoneminder

Timeline

PublishedOct 7

Latest updateMar 27

Description

ZoneMinder is a free, open source Closed-circuit television software application. In affected versions authenticated users can bypass CSRF keys by modifying the request supplied to the Zoneminder web application. These modifications include replacing HTTP POST with an HTTP GET and removing the CSRF key from the request. An attacker can take advantage of this by using an HTTP GET request to perform actions with no CSRF protection. This could allow an attacker to cause an authenticated user to per…

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages4 packages

▶debiandebian/zoneminder< zoneminder 1.36.31+dfsg1-1 (bookworm)

▶NVDzoneminder/zoneminder< 1.36.27+1

▶Debianzoneminder/zoneminder< 1.36.31+dfsg1-1+2

▶CVEListV5zoneminder/zoneminder>= 1.37.0, < 1.37.24

Patches

Patch: github.com ↗Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

OSV

CVE-2022-39290: ZoneMinder is a free, open source Closed-circuit television software application↗2022-10-07

▶

VulnCheck

zoneminder zoneminder Improper Authentication↗2022

▶

💥Exploits & PoCs

Exploit-DB

Zoneminder < v1.37.24 - Log Injection & Stored XSS & CSRF Bypass↗2023-03-27

▶

📋Vendor Advisories

Debian

CVE-2022-39290: zoneminder - ZoneMinder is a free, open source Closed-circuit television software application...↗2022

▶