zoneminder: CVE-2022-39285 CVE-2022-39289 CVE-2022-39290 CVE-2022-39291

Debian Bug report logs - #1021565
zoneminder: CVE-2022-39285 CVE-2022-39289 CVE-2022-39290 CVE-2022-39291

Reply or subscribe to this bug.

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: zoneminder: CVE-2022-39285 CVE-2022-39289 CVE-2022-39290 CVE-2022-39291

Date: Mon, 10 Oct 2022 22:27:00 +0200

Source: zoneminder
Version: 1.36.26+dfsg1-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>

Hi,

The following vulnerabilities were published for zoneminder.

CVE-2022-39285[0]:
| ZoneMinder is a free, open source Closed-circuit television software
| application The file parameter is vulnerable to a cross site scripting
| vulnerability (XSS) by backing out of the current "tr" "td" brackets.
| This then allows a malicious user to provide code that will execute
| when a user views the specific log on the "view=log" page. This
| vulnerability allows an attacker to store code within the logs that
| will be executed when loaded by a legitimate user. These actions will
| be performed with the permission of the victim. This could lead to
| data loss and/or further exploitation including account takeover. This
| issue has been addressed in versions `1.36.27` and `1.37.24`. Users
| are advised to upgrade. Users unable to upgrade should disable
| database logging.


CVE-2022-39289[1]:
| ZoneMinder is a free, open source Closed-circuit television software
| application. In affected versions the ZoneMinder API Exposes Database
| Log contents to user without privileges, allows insertion,
| modification, deletion of logs without System Privileges. Users are
| advised yo upgrade as soon as possible. Users unable to upgrade should
| disable database logging.


CVE-2022-39290[2]:
| ZoneMinder is a free, open source Closed-circuit television software
| application. In affected versions authenticated users can bypass CSRF
| keys by modifying the request supplied to the Zoneminder web
| application. These modifications include replacing HTTP POST with an
| HTTP GET and removing the CSRF key from the request. An attacker can
| take advantage of this by using an HTTP GET request to perform actions
| with no CSRF protection. This could allow an attacker to cause an
| authenticated user to perform unexpected actions on the web
| application. Users are advised to upgrade as soon as possible. There
| are no known workarounds for this issue.


CVE-2022-39291[3]:
| ZoneMinder is a free, open source Closed-circuit television software
| application. Affected versions of zoneminder are subject to a
| vulnerability which allows users with "View" system permissions to
| inject new data into the logs stored by Zoneminder. This was observed
| through an HTTP POST request containing log information to the
| "/zm/index.php" endpoint. Submission is not rate controlled and could
| affect database performance and/or consume all storage resources.
| Users are advised to upgrade. There are no known workarounds for this
| issue.


If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2022-39285
    https://www.cve.org/CVERecord?id=CVE-2022-39285
[1] https://security-tracker.debian.org/tracker/CVE-2022-39289
    https://www.cve.org/CVERecord?id=CVE-2022-39289
[2] https://security-tracker.debian.org/tracker/CVE-2022-39290
    https://www.cve.org/CVERecord?id=CVE-2022-39290
[3] https://security-tracker.debian.org/tracker/CVE-2022-39291
    https://www.cve.org/CVERecord?id=CVE-2022-39291

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

Send a report that this bug log contains spam.