CVE-2019-7331
Published: 4 February 2019
Self - Stored Cross Site Scripting (XSS) exists in ZoneMinder through 1.32.3 while editing an existing monitor field named "signal check color" (monitor.php). There exists no input validation or output filtration, leaving it vulnerable to HTML Injection and an XSS attack.
Priority
Status
| Package | Release | Status |
|---|---|---|
|
zoneminder Launchpad, Ubuntu, Debian |
bionic |
Does not exist
|
| cosmic |
Ignored
(reached end-of-life)
|
|
| disco |
Ignored
(reached end-of-life)
|
|
| eoan |
Ignored
(reached end-of-life)
|
|
| focal |
Released
(1.32.3-2ubuntu2+esm1)
|
|
| groovy |
Ignored
(reached end-of-life)
|
|
| hirsute |
Ignored
(reached end-of-life)
|
|
| impish |
Ignored
(reached end-of-life)
|
|
| jammy |
Not vulnerable
(1.36.12+dfsg1-1)
|
|
| kinetic |
Not vulnerable
(1.36.24+dfsg1-1)
|
|
| precise |
Does not exist
|
|
| trusty |
Does not exist
(trusty was needed)
|
|
| upstream |
Released
(1.34.0)
|
|
| xenial |
Released
(1.29.0+dfsg-1ubuntu2+esm1)
|
|
|
Patches: upstream: https://github.com/ZoneMinder/zoneminder/commit/254b7286b4d2654b95080a175c44195667e42ea8 |
||
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score | 6.1 |
| Attack vector | Network |
| Attack complexity | Low |
| Privileges required | None |
| User interaction | Required |
| Scope | Changed |
| Confidentiality | Low |
| Integrity impact | Low |
| Availability impact | None |
| Vector | CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |