CVE-2022-39291
published 2022-10-07CVE-2022-39291: ZoneMinder is a free, open source Closed-circuit television software application. Affected versions of zoneminder are subject to a vulnerability which allows…
PriorityP338medium5.4CVSS 3.1
AVNACLPRLUINSUCNILAL
EXPLOIT
EPSS
5.05%
91.2th percentile
ZoneMinder is a free, open source Closed-circuit television software application. Affected versions of zoneminder are subject to a vulnerability which allows users with "View" system permissions to inject new data into the logs stored by Zoneminder. This was observed through an HTTP POST request containing log information to the "/zm/index.php" endpoint. Submission is not rate controlled and could affect database performance and/or consume all storage resources. Users are advised to upgrade. There are no known workarounds for this issue.
Affected
7 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | zoneminder | < zoneminder 1.36.31+dfsg1-1 (bookworm) | zoneminder 1.36.31+dfsg1-1 (bookworm) |
| zoneminder | zoneminder | < 1.36.27 | 1.36.27 |
| zoneminder | zoneminder | < 1.37.24 | 1.37.24 |
| zoneminder | zoneminder | — | — |
| zoneminder | zoneminder | >= 0 < 1.36.31+dfsg1-1 | 1.36.31+dfsg1-1 |
| zoneminder | zoneminder | >= 0 < 1.36.31+dfsg1-1 | 1.36.31+dfsg1-1 |
| zoneminder | zoneminder | >= 0 < 1.36.31+dfsg1-1 | 1.36.31+dfsg1-1 |
CVSS provenance
nvdv3.15.4MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L
osv5.4MEDIUM
vendor_debian5.4LOW
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Debian
CVE-2022-39291: zoneminder - ZoneMinder is a free, open source Closed-circuit television software application...
vendor_debian·2022·CVSS 5.4
CVE-2022-39291 [MEDIUM] CVE-2022-39291: zoneminder - ZoneMinder is a free, open source Closed-circuit television software application...
ZoneMinder is a free, open source Closed-circuit television software application. Affected versions of zoneminder are subject to a vulnerability which allows users with "View" system permissions to inject new data into the logs stored by Zoneminder. This was observed through an HTTP POST request containing log information to the "/zm/index.php" endpoint. Submission is not rate controlled and could affect database performance and/or consume all storage resources. Users are advised to upgrade. There are no known workarounds for this issue.
Scope: local
bookworm: resolved (fixed in 1.36.31+dfsg1-1)
bullseye: open
forky: resolved (fixed in 1.36.31+dfsg1-1)
sid: resolved (fixed in 1.36.31+dfsg1-1)
trixie: resolved (fixed in 1.36.31+dfsg1-1)
VulDB
ZoneMinder HTTP POST Request /zm/index.php injection (GHSA-cfcx-v52x-jh74 / EUVD-2022-41789)
vuldb·2026-06-29·CVSS 5.4
CVE-2022-39291 [MEDIUM] ZoneMinder HTTP POST Request /zm/index.php injection (GHSA-cfcx-v52x-jh74 / EUVD-2022-41789)
A vulnerability was found in ZoneMinder. It has been rated as critical. The affected element is an unknown function of the file /zm/index.php of the component HTTP POST Request Handler. Performing a manipulation results in injection.
This vulnerability is known as CVE-2022-39291. Remote exploitation of the attack is possible. Furthermore, an exploit is available.
To fix this issue, it is recommended to deploy a patch.
OSV
CVE-2022-39291: ZoneMinder is a free, open source Closed-circuit television software application
osv·2022-10-07·CVSS 5.4
CVE-2022-39291 [MEDIUM] CVE-2022-39291: ZoneMinder is a free, open source Closed-circuit television software application
ZoneMinder is a free, open source Closed-circuit television software application. Affected versions of zoneminder are subject to a vulnerability which allows users with "View" system permissions to inject new data into the logs stored by Zoneminder. This was observed through an HTTP POST request containing log information to the "/zm/index.php" endpoint. Submission is not rate controlled and could affect database performance and/or consume all storage resources. Users are advised to upgrade. There are no known workarounds for this issue.
No detection rules found.
No writeups or analysis indexed.
http://packetstormsecurity.com/files/171498/Zoneminder-Log-Injection-XSS-Cross-Site-Request-Forgery.htmlhttps://github.com/ZoneMinder/zoneminder/commit/34ffd92bf123070cab6c83ad4cfe6297dd0ed0b4https://github.com/ZoneMinder/zoneminder/commit/73d9f2482cdcb238506388798d3cf92546f9e40chttps://github.com/ZoneMinder/zoneminder/commit/cb3fc5907da21a5111ae54128a5d0b49ae755e9bhttps://github.com/ZoneMinder/zoneminder/commit/de2866f9574a2bf2690276fad53c91d607825408https://github.com/ZoneMinder/zoneminder/security/advisories/GHSA-cfcx-v52x-jh74http://packetstormsecurity.com/files/171498/Zoneminder-Log-Injection-XSS-Cross-Site-Request-Forgery.htmlhttps://github.com/ZoneMinder/zoneminder/commit/34ffd92bf123070cab6c83ad4cfe6297dd0ed0b4https://github.com/ZoneMinder/zoneminder/commit/73d9f2482cdcb238506388798d3cf92546f9e40chttps://github.com/ZoneMinder/zoneminder/commit/cb3fc5907da21a5111ae54128a5d0b49ae755e9bhttps://github.com/ZoneMinder/zoneminder/commit/de2866f9574a2bf2690276fad53c91d607825408https://github.com/ZoneMinder/zoneminder/security/advisories/GHSA-cfcx-v52x-jh74
2022-10-07
Published