CVE-2019-7337

2019-02-0419:29:00

Debian Security Bug Tracker

security-tracker.debian.org

cve-2019-7337

cross site scripting

zoneminder

events

functions.php

output filtration

sortheader

CVSS2

3.5

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

SINGLE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:S/C:N/I:P/A:N

CVSS3

4.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

EPSS

0.001

Percentile

24.8%

JSON

Reflected Cross Site Scripting (XSS) exists in ZoneMinder through 1.32.3 as the view ‘events’ (events.php) insecurely displays the limit parameter value, without applying any proper output filtration. This issue exists because of the function sortHeader() in functions.php, which insecurely returns the value of the limit query string parameter without applying any filtration.

OSVersionArchitecturePackageVersionFilename
Debian12allzoneminder< 1.34.6-1zoneminder_1.34.6-1_all.deb
Debian11allzoneminder< 1.34.6-1zoneminder_1.34.6-1_all.deb
Debian999allzoneminder< 1.34.6-1zoneminder_1.34.6-1_all.deb

OS	Version	Architecture	Package	Version	Filename
Debian	12	all	zoneminder	< 1.34.6-1	zoneminder_1.34.6-1_all.deb
Debian	11	all	zoneminder	< 1.34.6-1	zoneminder_1.34.6-1_all.deb
Debian	999	all	zoneminder	< 1.34.6-1	zoneminder_1.34.6-1_all.deb