Debian Bug report logs -
#1021565
zoneminder: CVE-2022-39285 CVE-2022-39289 CVE-2022-39290 CVE-2022-39291
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, Dmitry Smirnov <onlyjob@debian.org>
:
Bug#1021565
; Package src:zoneminder
.
(Mon, 10 Oct 2022 20:30:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>
:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, Dmitry Smirnov <onlyjob@debian.org>
.
(Mon, 10 Oct 2022 20:30:03 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: zoneminder
Version: 1.36.26+dfsg1-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>
Hi,
The following vulnerabilities were published for zoneminder.
CVE-2022-39285[0]:
| ZoneMinder is a free, open source Closed-circuit television software
| application The file parameter is vulnerable to a cross site scripting
| vulnerability (XSS) by backing out of the current "tr" "td" brackets.
| This then allows a malicious user to provide code that will execute
| when a user views the specific log on the "view=log" page. This
| vulnerability allows an attacker to store code within the logs that
| will be executed when loaded by a legitimate user. These actions will
| be performed with the permission of the victim. This could lead to
| data loss and/or further exploitation including account takeover. This
| issue has been addressed in versions `1.36.27` and `1.37.24`. Users
| are advised to upgrade. Users unable to upgrade should disable
| database logging.
CVE-2022-39289[1]:
| ZoneMinder is a free, open source Closed-circuit television software
| application. In affected versions the ZoneMinder API Exposes Database
| Log contents to user without privileges, allows insertion,
| modification, deletion of logs without System Privileges. Users are
| advised yo upgrade as soon as possible. Users unable to upgrade should
| disable database logging.
CVE-2022-39290[2]:
| ZoneMinder is a free, open source Closed-circuit television software
| application. In affected versions authenticated users can bypass CSRF
| keys by modifying the request supplied to the Zoneminder web
| application. These modifications include replacing HTTP POST with an
| HTTP GET and removing the CSRF key from the request. An attacker can
| take advantage of this by using an HTTP GET request to perform actions
| with no CSRF protection. This could allow an attacker to cause an
| authenticated user to perform unexpected actions on the web
| application. Users are advised to upgrade as soon as possible. There
| are no known workarounds for this issue.
CVE-2022-39291[3]:
| ZoneMinder is a free, open source Closed-circuit television software
| application. Affected versions of zoneminder are subject to a
| vulnerability which allows users with "View" system permissions to
| inject new data into the logs stored by Zoneminder. This was observed
| through an HTTP POST request containing log information to the
| "/zm/index.php" endpoint. Submission is not rate controlled and could
| affect database performance and/or consume all storage resources.
| Users are advised to upgrade. There are no known workarounds for this
| issue.
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2022-39285
https://www.cve.org/CVERecord?id=CVE-2022-39285
[1] https://security-tracker.debian.org/tracker/CVE-2022-39289
https://www.cve.org/CVERecord?id=CVE-2022-39289
[2] https://security-tracker.debian.org/tracker/CVE-2022-39290
https://www.cve.org/CVERecord?id=CVE-2022-39290
[3] https://security-tracker.debian.org/tracker/CVE-2022-39291
https://www.cve.org/CVERecord?id=CVE-2022-39291
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Tue Oct 11 13:23:04 2022;
Machine Name:
bembo
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.