CVE-2019-7352 - OpenCVE

Self - Stored Cross Site Scripting (XSS) exists in ZoneMinder through 1.32.3, as the view 'state' (aka Run State) (state.php) does no input validation to the value supplied to the 'New State' (aka newState) field, allowing an attacker to execute HTML or JavaScript code.

No CVSS v3.1

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

AV:N/AC:M/Au:N/C:N/I:P/A:N

Vendors & Products
CPE Configurations

Vendors	Products
Zoneminder	Zoneminder

Configuration 1 [-]

cpe:2.3:a:zoneminder:zoneminder:*:*:*:*:*:*:*:*

References

Link	Resource
https://github.com/ZoneMinder/zoneminder/issues/2475	Exploit Third Party Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: mitre

Published: 2022-10-03T16:19:28

Updated: 2022-10-03T16:19:28

Reserved: 2022-10-03T00:00:00

Link: CVE-2019-7352

JSON object: View

NVD Information

Status : Analyzed

Published: 2019-02-04T19:29:01.537

Modified: 2019-02-04T20:13:21.080

Link: CVE-2019-7352

JSON object: View

Redhat Information

No data.

CWE

CWE-79

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:zoneminder:zoneminder:*:*:*:*:*:*:*:*", "matchCriteriaId": "8045339C-B032-47D7-BEAE-90BCC6699C06", "versionEndIncluding": "1.32.3", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Self - Stored Cross Site Scripting (XSS) exists in ZoneMinder through 1.32.3, as the view 'state' (aka Run State) (state.php) does no input validation to the value supplied to the 'New State' (aka newState) field, allowing an attacker to execute HTML or JavaScript code."}, {"lang": "es", "value": "Existe autocross-Site Scripting (XSS) persistente en ZoneMinder, hasta la versi\u00f3n 1.32.3, ya que la vista \"state\" (tambi\u00e9n conocida como Run State, en options.php) no introduce validaci\u00f3n para los valores proporcionados al campo New State (tambi\u00e9n conocido como newState), lo que permite que un atacante ejecute c\u00f3digo HTML o JavaScript."}], "id": "CVE-2019-7352", "lastModified": "2019-02-04T20:13:21.080", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.0"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2019-02-04T19:29:01.537", "references": [{"source": "cve@mitre.org", "tags": ["Exploit", "Third Party Advisory"], "url": "https://github.com/ZoneMinder/zoneminder/issues/2475"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "nvd@nist.gov", "type": "Primary"}]}