[USN-5889-1] ZoneMinder vulnerabilities
Camila Camargo de Matos
camila.camargodematos at canonical.com
Mon Feb 27 12:29:30 UTC 2023
==========================================================================
Ubuntu Security Notice USN-5889-1
February 27, 2023
zoneminder vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
- Ubuntu 16.04 ESM
Summary:
Several security issues were fixed in ZoneMinder.
Software Description:
- zoneminder: video camera security and surveillance solution
Details:
It was discovered that ZoneMinder was not properly sanitizing URL
parameters for certain views. An attacker could possibly use this issue to
perform a cross-site scripting (XSS) attack. This issue was only fixed in
Ubuntu 16.04 ESM. (CVE-2019-6777)
It was discovered that ZoneMinder was not properly sanitizing stored user
input later printed to the user in certain views. An attacker could
possibly use this issue to perform a cross-site scripting (XSS) attack.
This issue was only fixed in Ubuntu 16.04 ESM. (CVE-2019-6990,
CVE-2019-6992)
It was discovered that ZoneMinder was not properly limiting data size and
not properly performing bound checks when processing username and password
data, which could lead to a stack buffer overflow. An attacker could
possibly use this issue to bypass authentication, cause a denial of
service or execute arbitrary code. This issue was only fixed in Ubuntu
16.04 ESM. (CVE-2019-6991)
It was discovered that ZoneMinder was not properly defining and filtering
data that was appended to the webroot URL of a view. An attacker could
possibly use this issue to perform cross-site scripting (XSS) attacks.
This issue was only fixed in Ubuntu 16.04 ESM and Ubuntu 20.04 LTS.
(CVE-2019-7325, CVE-2019-7329)
It was discovered that ZoneMinder was not properly sanitizing stored user
input later printed to the user in certain views. An attacker could
possibly use this issue to perform a cross-site scripting (XSS) attack.
This issue was only fixed in Ubuntu 20.04 LTS. (CVE-2019-7326)
It was discovered that ZoneMinder was not properly sanitizing URL
parameters for certain views. An attacker could possibly use this issue to
perform a cross-site scripting (XSS) attack. This issue was only fixed in
Ubuntu 20.04 LTS. (CVE-2019-7327, CVE-2019-7328, CVE-2019-7330,
CVE-2019-7332)
It was discovered that ZoneMinder was not properly sanitizing user input
in the monitor editing view. An attacker could possibly use this issue to
perform a cross-site scripting (XSS) attack. This issue was only fixed in
Ubuntu 16.04 ESM and Ubuntu 20.04 LTS. (CVE-2019-7331)
It was discovered that ZoneMinder was not properly sanitizing data related
to file paths in a system. An attacker could possibly use this issue to
execute arbitrary code. (CVE-2022-29806)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 22.04 LTS:
zoneminder 1.36.12+dfsg1-1ubuntu0.1~esm1
Ubuntu 20.04 LTS:
zoneminder 1.32.3-2ubuntu2+esm1
Ubuntu 16.04 ESM:
zoneminder 1.29.0+dfsg-1ubuntu2+esm1
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-5889-1
CVE-2019-6777, CVE-2019-6990, CVE-2019-6991, CVE-2019-6992,
CVE-2019-7325, CVE-2019-7326, CVE-2019-7327, CVE-2019-7328,
CVE-2019-7329, CVE-2019-7330, CVE-2019-7331, CVE-2019-7332,
CVE-2022-29806
Package Information:
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 495 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/ubuntu-security-announce/attachments/20230227/3757cf93/attachment.sig>
More information about the ubuntu-security-announce
mailing list