CVE-2022-39291

🗓️ 07 Oct 2022 00:00:00Reported by GitHub_MType

cve🔗 web.nvd.nist.gov📰️ 3 Media mentions👁 84 Views🌐 WEB

ZoneMinder vulnerability allows log injection via HTTP POST request

Reporter	Title	Published	Views	Family All 36
0day.today	Zoneminder < v1.37.24 - Log Injection & Stored XSS & CSRF Bypass Exploit	27 Mar 202300:00	–	zdt
AlpineLinux	CVE-2022-39291	7 Oct 202200:00	–	alpinelinux
Circl	CVE-2022-39291	27 Mar 202300:00	–	circl
CNNVD	ZoneMinder 输入验证错误漏洞	7 Oct 202200:00	–	cnnvd
CNVD	ZoneMinder input validation error vulnerability	10 Oct 202200:00	–	cnvd
Cvelist	CVE-2022-39291 Denial of service through logs in zoneminder	7 Oct 202200:00	–	cvelist
Debian CVE	CVE-2022-39291	7 Oct 202200:00	–	debiancve
Exploit DB	Zoneminder < v1.37.24 - Log Injection & Stored XSS & CSRF Bypass	27 Mar 202300:00	–	exploitdb
EUVD	EUVD-2022-41789	3 Oct 202520:07	–	euvd
NVD	CVE-2022-39291	7 Oct 202221:15	–	nvd

NVD

Vulners

Node

zoneminder zoneminderRange<1.36.27

zoneminder zoneminderRange1.37.0–1.37.24

[
  {
    "vendor": "ZoneMinder",
    "product": "zoneminder",
    "versions": [
      {
        "version": "< 1.36.27",
        "status": "affected"
      },
      {
        "version": ">= 1.37.0, <1.37.24",
        "status": "affected"
      }
    ]
  }
]

Source	Link
github	www.github.com/ZoneMinder/zoneminder/commit/de2866f9574a2bf2690276fad53c91d607825408
github	www.github.com/ZoneMinder/zoneminder/commit/73d9f2482cdcb238506388798d3cf92546f9e40c
github	www.github.com/ZoneMinder/zoneminder/commit/cb3fc5907da21a5111ae54128a5d0b49ae755e9b
github	www.github.com/ZoneMinder/zoneminder/security/advisories/GHSA-cfcx-v52x-jh74
packetstormsecurity	www.packetstormsecurity.com/files/171498/Zoneminder-Log-Injection-XSS-Cross-Site-Request-Forgery.html
github	www.github.com/ZoneMinder/zoneminder/commit/34ffd92bf123070cab6c83ad4cfe6297dd0ed0b4

Parameter	Position	Path	Description	CWE
__csrf_magic	request body	zm/index.php	Log injection via HTTP POST to Zoneminder's index endpoint used to inject data into logs (CSRF bypass used in PoC).	CWE-20
view	request body	zm/index.php	Log injection via HTTP POST to Zoneminder's index endpoint used to inject data into logs (CSRF bypass used in PoC).	CWE-20
request	request body	zm/index.php	Log injection via HTTP POST to Zoneminder's index endpoint used to inject data into logs (CSRF bypass used in PoC).	CWE-20
task	request body	zm/index.php	Log injection via HTTP POST to Zoneminder's index endpoint used to inject data into logs (CSRF bypass used in PoC).	CWE-20
level	request body	zm/index.php	Log injection via HTTP POST to Zoneminder's index endpoint used to inject data into logs (CSRF bypass used in PoC).	CWE-20
message	request body	zm/index.php	Log injection via HTTP POST to Zoneminder's index endpoint used to inject data into logs (CSRF bypass used in PoC).	CWE-20
file	request body	zm/index.php	Log injection via HTTP POST to Zoneminder's index endpoint used to inject data into logs (CSRF bypass used in PoC).	CWE-20
line	request body	zm/index.php	Log injection via HTTP POST to Zoneminder's index endpoint used to inject data into logs (CSRF bypass used in PoC).	CWE-20

21 Nov 2024 07:17Current

5.5Medium risk

Vulners AI Score5.5

CVSS 3.15.4

EPSS0.07159

SSVC

CWE-20