Self-Stored XSS Vulnerability in ZoneMinder Affected by Insecure Output Handling
CVE-2019-7338

6.1MEDIUM

Key Information:

Vendor: Zoneminder
Status: Zoneminder
Vendor: CVE Published:; 3 October 2022

What is CVE-2019-7338?

A self-stored XSS vulnerability exists in ZoneMinder versions up to 1.32.3. This flaw allows an attacker to inject and execute malicious HTML or JavaScript code due to improper handling of user-supplied data in the 'Group Name' field. The application fails to adequately filter output before rendering it on web pages, making it susceptible to exploitation. Attackers can potentially leverage this vulnerability to take control of user sessions or manipulate page content in a trusted web application environment.

References

https://github.com/ZoneMinder/zoneminder/issues/2454

x_refsource_MISC

CVSS V3.1

Score:

6.1

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
Oct 3, 2022
Vulnerability Reserved
Oct 3, 2022

Zoneminder

What is CVE-2019-7338?

References

CVSS V3.1

Timeline