ZoneMinder contains Cross-site Scripting via log viewing
CVE-2023-25825

7.7HIGH

Key Information:

Vendor: Zoneminder
Status: Zoneminder
Vendor: CVE Published:; 25 February 2023

What is CVE-2023-25825?

A Cross-site Scripting vulnerability exists in ZoneMinder versions prior to 1.36.33, allowing attacker-controlled log entries to be injected into the database. These entries can include a malicious referrer field that is not properly escaped when displayed in the web interface. This may lead users to execute arbitrary scripts in the context of their browser, posing potential security risks. ZoneMinder has addressed this issue in version 1.36.33, providing users with an essential update to secure their systems.

Affected Version(s)

zoneminder < 1.36.33

References

https://github.com/ZoneMinder/zoneminder/security/advisor...

x_refsource_CONFIRM

https://github.com/ZoneMinder/zoneminder/commit/4637eaf9e...

x_refsource_MISC

https://github.com/ZoneMinder/zoneminder/commit/57bf25d39...

x_refsource_MISC

CVSS V3.1

Score:

7.7

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Timeline

Vulnerability published
Feb 25, 2023
Vulnerability Reserved
Feb 15, 2023

Zoneminder

What is CVE-2023-25825?

Affected Version(s)

References

CVSS V3.1

Timeline