Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2022-29806: Release The Memory Remains 1.36.13 · ZoneMinder/zoneminder

ZoneMinder before 1.36.13 allows remote code execution via an invalid language.

CVE
#sql#xss#csrf#vulnerability#debian

Changes since 1.36.12

  • Change a warning to a Debug when getting the latest image using zmu
  • Updates to Axis PTZ script adding support for getting details from Path and fixing support for older cameras
  • Fix for update script for 1.35.25 and DayEventDiskSpace
  • include user and function error message about insufficient permissions. Will make it easier to figure out who tried what.
  • Fix for crash in CSRF
  • Fix missing text-right align on Port/Path labels. Set step to 1 for Port
  • Remote RTSP camera.
  • Fix fail to get Sources in Remote RTSP
  • Fix compilation with ffmpeg 5.0
  • Implement filter limits. Which go before pagination/advanced search limits
  • Fix do_debian_package build script for version = CURRENT style versioning.
  • Implement a check on change of language. Make sure that the specified language file exists. Reports errors to UI
  • Test for valid language file when saving user.
  • add styling for errors reported to ui and include the errors on options view
  • Fix zmu device probing
  • Change title of v4l settings button to give an indication WHY it isn’t enabled
  • Convert Fatal()s to Errors() in image viewing. Maybe Fixes [#3426]
  • Include EndDateTimeShort in event stats
  • Handle empty endtime (in progress event) more gracefully. If there is a next event just jump to it.
  • locking fixes that caused hung zmu and zms processes
  • Set mysql character set to utf8 explicitly to support chinese characters (or other special characters).
  • escape html in Storage names
  • fix auth’d user information being saved to session before switching session id’s leaving bogus authenticated user in previous session.
  • Fix potential XSS from Username
  • Add a pattern filter for Usernames, Group Names and Storage Names to prevent invalid characters and XSS
  • Add NOT IN case to filters. Also, fix bad SQL when value evals to false. Test for empty string instead. Fixes [#3425]
  • Fix CURL monitors
  • Fix event view corruption caused by changes to the sendfile system call.Fixes [#3437]
  • Add useful title to frame image telling us which we are looking at
  • Allow empty sort field when listing events
  • Fix error in PTZ control code when no speed has been defined.
  • Allow editing of admin user.
  • Add more of the resulting SQL to the filter debug modal
  • Make filter debug modal work on non-saved filter
  • improvements to Event module implementing a Server() function which figures out which Server likely has the video. Use it to remove duplicate logic
  • improvements to Zone module Add numCoords, Coords, Area, AlarmRGB to Zone object. Also add Points(), AreaCoords, svg_polygon
  • Implement zm_setcookie to simplify setting cookies, set samesite, deal with older php etc
  • add loading=lazy to most images to improve page loading
  • Don’t both running zmu if monitor Function is set to None
  • Add mp4 as an option for generated video and make it the default instead of avi
  • Set some new more sensible defaults for various settings including logging, navbar refreshes, full page refreshes and ajax timeouts
  • Big update to Control.pm
  • Fix for Netcat PTZ using x=0 y=0 for autostop in addition to old stop movement code
  • Implement reboot and ping methods for Trendnet PTZ Control
  • rough in Url, UrlToZMS PathToZMS PathToIndex, UrlToIndex UrlToApi PathToApi in SERver object
  • reduce debug logging in zmaudit

There are fixes in here for 3 vulnerabilities:
Remote code execution by specifying an invalid language found by Krastanoel.
Stored XSS in Username field found by Tester Tester
Session Fixation problem found by Tester Tester.

Full Changelog: 1.36.12…1.36.13

Related news

CVE-2022-29499: Mitel Product Security Advisory 22-0002

The Service Appliance component in Mitel MiVoice Connect through 19.2 SP3 allows remote code execution because of incorrect data validation. The Service Appliances are SA 100, SA 400, and Virtual SA.

CVE-2021-35250: SolarWinds Trust Center Security Advisories | CVE-2021-35250

A researcher reported a Directory Transversal Vulnerability in Serv-U 15.3. This may allow access to files relating to the Serv-U installation and server files. This issue has been resolved in Serv-U 15.3 Hotfix 1.

CVE-2022-1441: fixed #2175 · gpac/gpac@3dbe11b

MP4Box is a component of GPAC-2.0.0, which is a widely-used third-party package on RPM Fusion. When MP4Box tries to parse a MP4 file, it calls the function `diST_box_read()` to read from video. In this function, it allocates a buffer `str` with fixed length. However, content read from `bs` is controllable by user, so is the length, which causes a buffer overflow.

CVE-2022-25866: Uses --end-of-options after command options (for security reasons) · czproject/git-php@5e82d54

The package czproject/git-php before 4.0.3 are vulnerable to Command Injection via git argument injection. When calling the isRemoteUrlReadable($url, array $refs = NULL) function, both the url and refs parameters are passed to the git ls-remote subcommand in a way that additional flags can be set. The additional flags can be used to perform a command injection.

CVE-2022-28290: 2022-28290 - Reflected Cross-Site Scripting in Welaunch

Reflective Cross-Site Scripting vulnerability in WordPress Country Selector Plugin Version 1.6.5. The XSS payload executes whenever the user tries to access the country selector page with the specified payload as a part of the HTTP request

CVE-2021-4225: CVEproject/wordpress_SP-Project_fileupload.md at main · pang0lin/CVEproject

The SP Project & Document Manager WordPress plugin before 4.24 allows any authenticated users, such as subscribers, to upload files. The plugin attempts to prevent PHP and other similar files that could be executed on the server from being uploaded by checking the file extension. It was discovered that on Windows servers, the security checks in place were insufficient, enabling bad actors to potentially upload backdoors on vulnerable sites.

CVE-2022-1390: WordPress Admin Word Count Column 2.2 Local File Inclusion ≈ Packet Storm

The Admin Word Count Column WordPress plugin through 2.2 does not validate the path parameter given to readfile(), which could allow unauthenticated attackers to read arbitrary files on server running old version of PHP susceptible to the null byte technique. This could also lead to RCE by using a Phar Deserialization technique

CVE-2022-24792: Merge pull request from GHSA-rwgw-vwxg-q799 · pjsip/pjproject@947bc1e

PJSIP is a free and open source multimedia communication library written in C. A denial-of-service vulnerability affects applications on a 32-bit systems that use PJSIP versions 2.12 and prior to play/read invalid WAV files. The vulnerability occurs when reading WAV file data chunks with length greater than 31-bit integers. The vulnerability does not affect 64-bit apps and should not affect apps that only plays trusted WAV files. A patch is available on the `master` branch of the `pjsip/project` GitHub repository. As a workaround, apps can reject a WAV file received from an unknown source or validate the file first.

CVE-2022-1391: WordPress Cab-Fare-Calculator 1.0.3 Local File Inclusion ≈ Packet Storm

The Cab fare calculator WordPress plugin through 1.0.3 does not validate the controller parameter before using it in require statements, which could lead to Local File Inclusion issues.

CVE-2022-1396: WordPress Donorbox-Donation-Form 7.1.6 Cross Site Scripting ≈ Packet Storm

The Donorbox WordPress plugin before 7.1.7 does not sanitise and escape its Campaign URL settings before outputting it in an attribute, leading to a Stored Cross-Site Scripting issue even when the unfiltered_html capability is disallowed

RHSA-2022:1491: Red Hat Security Advisory: java-1.8.0-openjdk security update

An update for java-1.8.0-openjdk is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-21426: OpenJDK: Unbounded memory allocation when compiling crafted XPath expressions (JAXP, 8270504) * CVE-2022-21434: OpenJDK: Improper object-to-string conversion in AnnotationInvocationHandler (Libraries, 8277672) * CVE-2022-21443: OpenJDK: Missing check for negative ObjectIdentifier (Libraries, 8275151) * CVE-2022-21476: OpenJDK: Defecti...

CVE-2022-26111: CVE-Advisory/CVE-2022-26111.pdf at main · post-cyberlabs/CVE-Advisory

The BeanShell components of IRISNext through 9.8.28 allow execution of arbitrary commands on the target server by creating a custom search (or editing an existing/predefined search) of the documents. The search components permit adding BeanShell expressions that result in Remote Code Execution in the context of the IRISNext application user, running on the web server.

CVE-2022-29078: EJS, Server side template injection RCE (CVE-2022-29078) - writeup

The ejs (aka Embedded JavaScript templates) package 3.1.6 for Node.js allows server-side template injection in settings[view options][outputFunctionName]. This is parsed as an internal option, and overwrites the outputFunctionName option with an arbitrary OS command (which is executed upon template compilation).

RHSA-2022:1490: Red Hat Security Advisory: java-1.8.0-openjdk security update

An update for java-1.8.0-openjdk is now available for Red Hat Enterprise Linux 8.4 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-21426: OpenJDK: Unbounded memory allocation when compiling crafted XPath expressions (JAXP, 8270504) * CVE-2022-21434: OpenJDK: Improper object-to-string conversion in AnnotationInvocationHandler (Libraries, 8277672) * CVE-2022-21443: OpenJDK: Missing check for negative ObjectIdentifier (Libraries, 8275151) * CVE-20...

RHSA-2022:1489: Red Hat Security Advisory: java-1.8.0-openjdk security update

An update for java-1.8.0-openjdk is now available for Red Hat Enterprise Linux 8.2 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-21426: OpenJDK: Unbounded memory allocation when compiling crafted XPath expressions (JAXP, 8270504) * CVE-2022-21434: OpenJDK: Improper object-to-string conversion in AnnotationInvocationHandler (Libraries, 8277672) * CVE-2022-21443: OpenJDK: Missing check for negative ObjectIdentifier (Libraries, 8275151) * CVE-20...

RHSA-2022:1488: Red Hat Security Advisory: java-1.8.0-openjdk security update

An update for java-1.8.0-openjdk is now available for Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-21426: OpenJDK: Unbounded memory allocation when compiling crafted XPath expressions (JAXP, 8270504) * CVE-2022-21434: OpenJDK: Improper object-to-string conversion in AnnotationInvocationHandler (Libraries, 8277672) * CVE-2022-21443: OpenJDK: Missing check for negative ObjectIdentifier (Libraries, 8275151...

RHSA-2022:1487: Red Hat Security Advisory: java-1.8.0-openjdk security, bug fix, and enhancement update

An update for java-1.8.0-openjdk is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-21426: OpenJDK: Unbounded memory allocation when compiling crafted XPath expressions (JAXP, 8270504) * CVE-2022-21434: OpenJDK: Improper object-to-string conversion in AnnotationInvocationHandler (Libraries, 8277672) * CVE-2022-21443: OpenJDK: Missing check for negative ObjectIdentifier (Libraries, 8275151) * CVE-2022-21476: OpenJDK: Defecti...

CVE-2022-28053: V1.5.3: Unrestricted File Upload Vulnerability · Issue #325 · typemill/typemill

Typemill v1.5.3 was discovered to contain an arbitrary file upload vulnerability via the upload function. This vulnerability allows attackers to execute arbitrary code via a crafted PHP file.

CVE-2022-27428: v2.0: stored XSS Vulnerability · Issue #20 · bensonarts/GalleryCMS

A stored cross-site scripting (XSS) vulnerability in /index.php/album/add of GalleryCMS v2.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the album_name parameter.

CVE-2022-28586: XSS on Hoosk v1.8 · Issue #63 · havok89/Hoosk

XSS in edit page of Hoosk 1.8.0 allows attacker to execute javascript code in user browser via edit page with XSS payload bypass filter some special chars.

CVE-2022-27429: V1.9.5: SSRF Vulnerability · Issue #67 · Cherry-toto/jizhicms

Jizhicms v1.9.5 was discovered to contain a Server-Side Request Forgery (SSRF) vulnerability via /admin.php/Plugins/update.html.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907