CVE-2022-30768

2022-11-1522:15:11

Google

osv.dev

stored cross site scripting

zoneminder

html javascript

logout

4.3 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

5.4 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

0.001 Low

EPSS

Percentile

34.2%

JSON

A Stored Cross Site Scripting (XSS) issue in ZoneMinder 1.36.12 allows an attacker to execute HTML or JavaScript code via the Username field when an Admin (or non-Admin users that can see other users logged into the platform) clicks on Logout. NOTE: this exists in later versions than CVE-2019-7348 and requires a different attack method.

CPENameOperatorVersion
zonemindereq1.30.0-rc1
zonemindereq1.36.24+dfsg1-1~bpo11+1
zonemindereq1.36.14+dfsg1-1
zonemindereq1.36.1
zonemindereq1.34.16
zonemindereq1.34.17
zonemindereq1.34.19
zonemindereq1.29.0-rc2
zonemindereq1.30.4
zonemindereq1.34.4

Name	Operator	Version
zoneminder	eq	1.30.0-rc1
zoneminder	eq	1.36.24+dfsg1-1~bpo11+1
zoneminder	eq	1.36.14+dfsg1-1
zoneminder	eq	1.36.1
zoneminder	eq	1.34.16
zoneminder	eq	1.34.17
zoneminder	eq	1.34.19
zoneminder	eq	1.29.0-rc2
zoneminder	eq	1.30.4
zoneminder	eq	1.34.4