Multiple Vulnerabilities identified in ZoneMinder
Loginsoft-2019-1038
February 11, 2019
About Package
ZoneMinder is an open source surveillance software system provider which stands best in delivering the high standard state of art surveillance cameras and other related security solutions which mainly concentrate on functions like capturing, analyzing, recording and monitoring of CCTV or security cameras. ZoneMinder allows you monitor as you wish irrespective of the size and scope of the target environment. The application mainly concentrates on Home Security, Theft Prevention, Industrial and Commercial Security and also on Household security surveillance services.
Vulnerability Detected: Cross Site Scripting Attack (XSS)
CWE: 79
Impact: XSS attacks mainly focus on implanting the malicious code into the trusted websites which lays the path for the attacker to invade into the system with the help of implanted code upon execution.
Identified CVEs
| CVE-2019-6990 | CVE-2019-7332 | CVE-2019-7341 |
| CVE-2019-6992 | CVE-2019-7333 | CVE-2019-7342 |
| CVE-2019-7325 | CVE-2019-7334 | CVE-2019-7343 |
| CVE-2019-7326 | CVE-2019-7335 | CVE-2019-7344 |
| CVE-2019-7327 | CVE-2019-7336 | CVE-2019-7345 |
| CVE-2019-7328 | CVE-2019-7337 | CVE-2019-7346 |
| CVE-2019-7329 | CVE-2019-7338 | CVE-2019-7348 |
| CVE-2019-7330 | CVE-2019-7339 | CVE-2019-7349 |
| CVE-2019-7331 | CVE-2019-7340 | CVE-2019-7352 |
Vulnerability Detected: Cross Site Request Forgery (CSRF)
CWE: 120
Impact: CSRF attack target the state changing requests and tries to force the end user to execute the unwanted or malicious code on the web application. These attacks also attract the victim user to perform the web actions as guided by the attacker such as changing the email address or password or even transferring the funds from one account to the other.
Identified CVEs
CVE-2019-7346
Vulnerability Detected: Log Injection
CWE: 74
Impact: Unvalidated user input data is injected into the log file, causing the addition of custom log events into the web page.
Identified CVEs
CVE-2019-7351
Vulnerability Detected: Session Fixation
CWE: 384
Impact: Attacker can fixate his own session cookies to the next logged-in user, thereby hijacking the victim’s account.
Identified CVEs
CVE-2019-7350
Vulnerability Detected: Stack Overflow
CWE: 120
Impact: When the memory input exceeds the limit of the the stack an overflow occurs resulting in the data exploitation. This is high severity case as it tends to perform the arbitrary code execution or may cause Denial of Service.
Identified CVEs
CVE-2019-6991
Vulnerability Detected: TOCTOU Race Condition
CWE: 362
Impact: The TOCTOU vulnerability affects the system behavior and triggers the uncontrollable events as the sequence timing is exploited.
Identified CVEs
CVE-2019-7347
Timeline
Vendor Disclosure: 2019-01-24
Public Disclosure: 2019-02-11
Credit
Discovered by ACE Team – Loginsoft