Headline

CVE-2022-29806: Release The Memory Remains 1.36.13 · ZoneMinder/zoneminder

ZoneMinder before 1.36.13 allows remote code execution via an invalid language.

2 years ago

Changes since 1.36.12

Change a warning to a Debug when getting the latest image using zmu
Updates to Axis PTZ script adding support for getting details from Path and fixing support for older cameras
Fix for update script for 1.35.25 and DayEventDiskSpace
include user and function error message about insufficient permissions. Will make it easier to figure out who tried what.
Fix for crash in CSRF
Fix missing text-right align on Port/Path labels. Set step to 1 for Port
Remote RTSP camera.
Fix fail to get Sources in Remote RTSP
Fix compilation with ffmpeg 5.0
Implement filter limits. Which go before pagination/advanced search limits
Fix do_debian_package build script for version = CURRENT style versioning.
Implement a check on change of language. Make sure that the specified language file exists. Reports errors to UI
Test for valid language file when saving user.
add styling for errors reported to ui and include the errors on options view
Fix zmu device probing
Change title of v4l settings button to give an indication WHY it isn’t enabled
Convert Fatal()s to Errors() in image viewing. Maybe Fixes [#3426]
Include EndDateTimeShort in event stats
Handle empty endtime (in progress event) more gracefully. If there is a next event just jump to it.
locking fixes that caused hung zmu and zms processes
Set mysql character set to utf8 explicitly to support chinese characters (or other special characters).
escape html in Storage names
fix auth’d user information being saved to session before switching session id’s leaving bogus authenticated user in previous session.
Fix potential XSS from Username
Add a pattern filter for Usernames, Group Names and Storage Names to prevent invalid characters and XSS
Add NOT IN case to filters. Also, fix bad SQL when value evals to false. Test for empty string instead. Fixes [#3425]
Fix CURL monitors
Fix event view corruption caused by changes to the sendfile system call.Fixes [#3437]
Add useful title to frame image telling us which we are looking at
Allow empty sort field when listing events
Fix error in PTZ control code when no speed has been defined.
Allow editing of admin user.
Add more of the resulting SQL to the filter debug modal
Make filter debug modal work on non-saved filter
improvements to Event module implementing a Server() function which figures out which Server likely has the video. Use it to remove duplicate logic
improvements to Zone module Add numCoords, Coords, Area, AlarmRGB to Zone object. Also add Points(), AreaCoords, svg_polygon
Implement zm_setcookie to simplify setting cookies, set samesite, deal with older php etc
add loading=lazy to most images to improve page loading
Don’t both running zmu if monitor Function is set to None
Add mp4 as an option for generated video and make it the default instead of avi
Set some new more sensible defaults for various settings including logging, navbar refreshes, full page refreshes and ajax timeouts
Big update to Control.pm
Fix for Netcat PTZ using x=0 y=0 for autostop in addition to old stop movement code
Implement reboot and ping methods for Trendnet PTZ Control
rough in Url, UrlToZMS PathToZMS PathToIndex, UrlToIndex UrlToApi PathToApi in SERver object
reduce debug logging in zmaudit

There are fixes in here for 3 vulnerabilities:
Remote code execution by specifying an invalid language found by Krastanoel.
Stored XSS in Username field found by Tester Tester
Session Fixation problem found by Tester Tester.

Full Changelog: 1.36.12…1.36.13

The Service Appliance component in Mitel MiVoice Connect through 19.2 SP3 allows remote code execution because of incorrect data validation. The Service Appliances are SA 100, SA 400, and Virtual SA.

2 years ago

Headline

CVE-2022-29806: Release The Memory Remains 1.36.13 · ZoneMinder/zoneminder

Related news

CVE: Latest News