By using this website, you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.
Accept
Green Plus icon
Home
/
Research
/
Zero Day Discovery
/
CVE-2019-6990: Multiple Vulnerabilities identified in ZoneMinder

CVE-2019-6990: Multiple Vulnerabilities identified in ZoneMinder

Vulnerability Reports
February 11, 2019
Profile Icon

Jason Franscisco

Multiple Vulnerabilities identified in ZoneMinder

Loginsoft-2019-1038

February 11, 2019

About Package

ZoneMinder is an open source surveillance software system provider which stands best in delivering the high standard state of art surveillance cameras and other related security solutions which mainly concentrate on functions like capturing, analyzing, recording and monitoring of CCTV or security cameras. ZoneMinder allows you monitor as you wish irrespective of the size and scope of the target environment. The application mainly concentrates on Home Security, Theft Prevention, Industrial and Commercial Security and also on Household security surveillance services.

Vulnerability Detected: Cross Site Scripting Attack (XSS)

CWE: 79

Impact: XSS attacks mainly focus on implanting the malicious code into the trusted websites which lays the path for the attacker to invade into the system with the help of implanted code upon execution.

Identified CVEs :

CVE-2019-6990 CVE-2019-7332 CVE-2019-7341
CVE-2019-6992 CVE-2019-7333 CVE-2019-7342
CVE-2019-7325 CVE-2019-7334 CVE-2019-7343
CVE-2019-7326 CVE-2019-7335 CVE-2019-7344
CVE-2019-7327 CVE-2019-7336 CVE-2019-7345
CVE-2019-7328 CVE-2019-7337 CVE-2019-7346
CVE-2019-7329 CVE-2019-7338 CVE-2019-7348
CVE-2019-7330 CVE-2019-7339 CVE-2019-7349
CVE-2019-7331 CVE-2019-7340 CVE-2019-7352
Vulnerability Detected: Cross Site Request Forgery (CSRF)

CWE: 120

Impact: CSRF attack target the state changing requests and tries to force the end user to execute the unwanted or malicious code on the web application. These attacks also attract the victim user to perform the web actions as guided by the attacker such as changing the email address or password or even transferring the funds from one account to the other.

Identified CVEs : CVE-2019-7346

Vulnerability Detected: Log Injection

CWE: 74

Impact: Unvalidated user input data is injected into the log file, causing the addition of custom log events into the web page.

Identified CVEs : CVE-2019-7351

Vulnerability Detected: Session Fixation

CWE: 384

Impact: Attacker can fixate his own session cookies to the next logged-in user, thereby hijacking the victim's account.

Identified CVEs : CVE-2019-7350

Vulnerability Detected: Stack Overflow

CWE: 120

Impact: When the memory input exceeds the limit of the the stack an overflow occurs resulting in the data exploitation. This is high severity case as it tends to perform the arbitrary code execution or may cause Denial of Service.

Identified CVEs : CVE-2019-6991

Vulnerability Detected: TOCTOU Race Condition

CWE: 362

Impact: The TOCTOU vulnerability affects the system behavior and triggers the uncontrollable events as the sequence timing is exploited.

Identified CVEs

CVE-2019-7347

Timeline

Vendor Disclosure: 2019-01-24

Public Disclosure: 2019-02-11

Credit

Discovered by ACE Team – Loginsoft

Explore Cybersecurity Platforms

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Suspendisse varius enim in eros.

Discover Lovi

Sign up to our Newsletter

Cybersecurity Solutions
Vulnerability IntelligenceSecurity & Threat Intelligence IntegrationsVulnerability & Configuration ManagementOSS - Software Composition AnalysisOSS - Dependancy DefenceOSS - Zero-Day DiscoveryThreat IntelligenceExternal Attack Surface DiscoveryCloud Security Posture ManagementCloud Workload Protection
IT Solutions
Data Science & AISoftware Development  & SupportQA AutomationStaff Augmentation
Platforms
LOVICytellite
Company
BlogsReportsAbout usCareers
Research
Research-as-a -ServiceZero-Day Discovery
1-703-956-7410info@loginsoft.com
© 2024 - Copyright
Privacy policy