Cross-site scripting in zoneminder (Alpine package)

1) Cross-site scripting

EUVDB-ID: #VU33045

Risk: Low

CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear]

CVE-ID: CVE-2017-5367

CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Exploit availability: No

Description

The vulnerability allows a remote non-authenticated attacker to read and manipulate data.

Multiple reflected XSS vulnerabilities exist within form and link input parameters of ZoneMinder v1.30 and v1.29, an open-source CCTV server web application, which allows a remote attacker to execute malicious scripts within an authenticated client's browser. The URL is /zm/index.php and sample parameters could include action=login&view=postlogin[XSS] view=console[XSS] view=groups[XSS] view=events&filter[terms][1][cnj]=and[XSS] view=events&filter%5Bterms%5D%5B1%5D%5Bcnj%5D=and[XSS] view=events&filter%5Bterms%5D%5B1%5D%5Bcnj%5D=[XSS]and view=events&limit=1%22%3E%3C/a%3E[XSS] (among others).

Mitigation

Install update from vendor's website.

Vulnerable software versions

zoneminder (Alpine package): 1.30.2-r0 - 1.30.4-r6

CPE2.3

• cpe:2.3:a:alpine:zoneminder_alpine_package:1.30.2-r0:*:*:*:*:alpine_linux:*:3.4
• cpe:2.3:a:alpine:zoneminder_alpine_package:1.30.4-r1:*:*:*:*:alpine_linux:*:3.7
• cpe:2.3:a:alpine:zoneminder_alpine_package:1.30.4-r2:*:*:*:*:alpine_linux:*:3.7

External links

https://git.alpinelinux.org/aports/commit/?id=0e28b3ffcdf7bd0abff2e5a7304f7d2c8693389e
https://git.alpinelinux.org/aports/commit/?id=70721263c1117924c0974d2316dbae5551fea707

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.