CVE-2019-7331
Published: 4 February 2019
Self - Stored Cross Site Scripting (XSS) exists in ZoneMinder through 1.32.3 while editing an existing monitor field named "signal check color" (monitor.php). There exists no input validation or output filtration, leaving it vulnerable to HTML Injection and an XSS attack.
Priority
Status
| Package | Release | Status |
|---|---|---|
|
zoneminder Launchpad, Ubuntu, Debian |
groovy |
Ignored
(end of life)
|
| bionic |
Does not exist
|
|
| cosmic |
Ignored
(end of life)
|
|
| disco |
Ignored
(end of life)
|
|
| eoan |
Ignored
(end of life)
|
|
| hirsute |
Ignored
(end of life)
|
|
| xenial |
Released
(1.29.0+dfsg-1ubuntu2+esm1)
Available with Ubuntu Pro |
|
| impish |
Ignored
(end of life)
|
|
| jammy |
Not vulnerable
(1.36.12+dfsg1-1)
|
|
| kinetic |
Not vulnerable
(1.36.24+dfsg1-1)
|
|
| trusty |
Does not exist
(trusty was needed)
|
|
| upstream |
Released
(1.34.0)
|
|
| lunar |
Not vulnerable
(1.36.32+dfsg1-1)
|
|
| focal |
Released
(1.32.3-2ubuntu2+esm1)
Available with Ubuntu Pro |
|
| mantic |
Not vulnerable
(1.36.32+dfsg1-1)
|
|
|
Patches: upstream: https://github.com/ZoneMinder/zoneminder/commit/254b7286b4d2654b95080a175c44195667e42ea8 |
||
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score | 6.1 |
| Attack vector | Network |
| Attack complexity | Low |
| Privileges required | None |
| User interaction | Required |
| Scope | Changed |
| Confidentiality | Low |
| Integrity impact | Low |
| Availability impact | None |
| Vector | CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |