Database log access in ZoneMinder
CVE-2022-39289

9.1CRITICAL

Key Information:

Vendor: Zoneminder
Status: Zoneminder
Vendor: CVE Published:; 7 October 2022

What is CVE-2022-39289?

ZoneMinder is a free, open source Closed-circuit television software application. In affected versions the ZoneMinder API Exposes Database Log contents to user without privileges, allows insertion, modification, deletion of logs without System Privileges. Users are advised yo upgrade as soon as possible. Users unable to upgrade should disable database logging.

Affected Version(s)

zoneminder < 1.36.27 < 1.36.27

zoneminder >= 1.37.0, < 1.37.24 < 1.37.0, 1.37.24

References

https://github.com/ZoneMinder/zoneminder/commit/34ffd92bf...

https://github.com/ZoneMinder/zoneminder/security/advisor...

CVSS V3.1

Score:

9.1

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Oct 7, 2022
Vulnerability Reserved
Sep 2, 2022

Zoneminder

What is CVE-2022-39289?

Affected Version(s)

References

CVSS V3.1

Timeline