CVE-2023-25825 — Cross-site Scripting in Zoneminder

CWE-79 — Cross-site Scripting3 documents3 sources

Severity

6.1MEDIUMNVD

EPSS

0.3%

top 46.93%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Zoneminder Debian Zoneminder

Timeline

PublishedFeb 25

Description

ZoneMinder is a free, open source Closed-circuit television software application for Linux which supports IP, USB and Analog cameras. Versions prior to 1.36.33 are vulnerable to Cross-site Scripting. Log entries can be injected into the database logs, containing a malicious referrer field. This is unescaped when viewing the logs in the web ui. This issue is patched in version 1.36.33.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages3 packages

▶debiandebian/zoneminder< zoneminder 1.36.33+dfsg1-1 (bookworm)

▶NVDzoneminder/zoneminder1.37.0 — 1.37.33+1

▶Debianzoneminder/zoneminder< 1.36.33+dfsg1-1+2

Patches

Patch: github.com ↗Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

OSV

CVE-2023-25825: ZoneMinder is a free, open source Closed-circuit television software application for Linux which supports IP, USB and Analog cameras↗2023-02-25

▶

📋Vendor Advisories

Debian

CVE-2023-25825: zoneminder - ZoneMinder is a free, open source Closed-circuit television software application...↗2023

▶