Public exploit available

Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2022-39291 — Improper Input Validation in Zoneminder

CWE-20 — Improper Input Validation4 documents4 sources

Severity

5.4MEDIUMNVD

EPSS

7.4%

top 8.26%

CISA KEV

Not in KEV

Exploit

PoC available

Public exploit / PoC exists

Affected products

Zoneminder Debian Zoneminder

Timeline

PublishedOct 7

Latest updateMar 27

Description

ZoneMinder is a free, open source Closed-circuit television software application. Affected versions of zoneminder are subject to a vulnerability which allows users with "View" system permissions to inject new data into the logs stored by Zoneminder. This was observed through an HTTP POST request containing log information to the "/zm/index.php" endpoint. Submission is not rate controlled and could affect database performance and/or consume all storage resources. Users are advised to upgrade. The…

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:LExploitability: 2.8 | Impact: 2.5

Affected Packages4 packages

▶debiandebian/zoneminder< zoneminder 1.36.31+dfsg1-1 (bookworm)

▶NVDzoneminder/zoneminder< 1.36.27+1

▶Debianzoneminder/zoneminder< 1.36.31+dfsg1-1+2

▶CVEListV5zoneminder/zoneminder>= 1.37.0, <1.37.24

Patches

Patch: github.com ↗Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

OSV

CVE-2022-39291: ZoneMinder is a free, open source Closed-circuit television software application↗2022-10-07

▶

💥Exploits & PoCs

Exploit-DB

Zoneminder < v1.37.24 - Log Injection & Stored XSS & CSRF Bypass↗2023-03-27

▶

📋Vendor Advisories

Debian

CVE-2022-39291: zoneminder - ZoneMinder is a free, open source Closed-circuit television software application...↗2022

▶