 |
Inicial ▼ Bookkeeping
Online ▼ Auditorias ▼
DNS
Administrado ▼
Acerca de DNS
Ordenar/Renovar
Preguntas Frecuentes
AUP
Dynamic DNS Clients
Configurar Dominios Dynamic DNS Update Password Monitoreo
de Redes ▼
Enterprise
Avanzado
Estándarr
Prueba
Preguntas Frecuentes
Resumen de Precio/Funciones
Ordenar
Muestras
Configure/Status Alert Profiles | ||
| ID de Prueba: | 1.3.6.1.4.1.25623.1.1.10.2017.0162 |
| Categoría: | Mageia Linux Local Security Checks |
| Título: | Mageia: Security Advisory (MGASA-2017-0162) |
| Resumen: | The remote host is missing an update for the 'perl-Sys-MemInfo, zoneminder' package(s) announced via the MGASA-2017-0162 advisory. |
| Descripción: | Summary: The remote host is missing an update for the 'perl-Sys-MemInfo, zoneminder' package(s) announced via the MGASA-2017-0162 advisory. Vulnerability Insight: This update fixes the following security issues: Information disclosure and authentication bypass vulnerability exists in the Apache HTTP Server configuration bundled with ZoneMinder v1.30 and v1.29, which allows a remote unauthenticated attacker to browse all directories in the web root, e.g., a remote unauthenticated attacker can view all CCTV images on the server via the /events URI. (CVE-2016-10140) Cross-site scripting (XSS) vulnerability in Zoneminder 1.30 and earlier allows remote attackers to inject arbitrary web script or HTML via the format parameter in a download log request to index.php. (CVE-2016-10201) Cross-site scripting (XSS) vulnerability in Zoneminder 1.30 and earlier allows remote attackers to inject arbitrary web script or HTML via the path info to index.php. (CVE-2016-10202) Cross-site scripting (XSS) vulnerability in Zoneminder 1.30 and earlier allows remote attackers to inject arbitrary web script or HTML via the name when creating a new monitor. (CVE-2016-10203) SQL injection vulnerability in Zoneminder 1.30 and earlier allows remote attackers to execute arbitrary SQL commands via the limit parameter in a log query request to index.php. (CVE-2016-10204) Session fixation vulnerability in Zoneminder 1.30 and earlier allows remote attackers to hijack web sessions via the ZMSESSID cookie. (CVE-2016-10205) Cross-site request forgery (CSRF) vulnerability in Zoneminder 1.30 and earlier allows remote attackers to hijack the authentication of users for requests that change passwords and possibly have unspecified other impact as demonstrated by a crafted user action request to index.php. (CVE-2016-10206) Multiple reflected XSS vulnerabilities exist within form and link input parameters of ZoneMinder v1.30 and v1.29, an open-source CCTV server web application, which allows a remote attacker to execute malicious scripts within an authenticated client's browser. The URL is /zm/index.php and sample parameters could include action=login&view=postlogin[XSS] view=console[XSS] view=groups[XSS] view=events&filter[terms][1][cnj]=and[XSS] view=events&filter%5Bterms%5D%5B1%5D%5Bcnj%5D=and[XSS] view=events&filter%5Bterms%5D%5B1%5D%5Bcnj%5D=[XSS]and view=events&limit=1%22%3E%3C/a%3E[XSS] (among others). (CVE-2017-5367) ZoneMinder v1.30 and v1.29, an open-source CCTV server web application, is vulnerable to CSRF (Cross Site Request Forgery) which allows a remote attack to make changes to the web application as the current logged in victim. If the victim visits a malicious web page, the attacker can silently and automatically create a new admin user within the web application for remote persistence and further attacks. The URL is /zm/index.php and sample parameters could include action=user uid=0 newUser[Username]=attacker1 newUser[Password]=Password1234 conf_password=Password1234 newUser[System]=Edit (among others). (CVE-2017-5368) A file disclosure and ... [Please see the references for more information on the vulnerabilities] Affected Software/OS: 'perl-Sys-MemInfo, zoneminder' package(s) on Mageia 5. Solution: Please install the updated package(s). CVSS Score: 7.5 CVSS Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P |
| Referencia Cruzada: |
Common Vulnerability Exposure (CVE) ID: CVE-2016-10140 BugTraq ID: 96849 http://www.securityfocus.com/bid/96849 http://seclists.org/bugtraq/2017/Feb/6 http://seclists.org/fulldisclosure/2017/Feb/11 Common Vulnerability Exposure (CVE) ID: CVE-2016-10201 https://www.foxmole.com/advisories/foxmole-2016-07-05.txt http://www.openwall.com/lists/oss-security/2017/02/05/1 Common Vulnerability Exposure (CVE) ID: CVE-2016-10202 Common Vulnerability Exposure (CVE) ID: CVE-2016-10203 BugTraq ID: 97122 http://www.securityfocus.com/bid/97122 Common Vulnerability Exposure (CVE) ID: CVE-2016-10204 Common Vulnerability Exposure (CVE) ID: CVE-2016-10205 BugTraq ID: 97116 http://www.securityfocus.com/bid/97116 Common Vulnerability Exposure (CVE) ID: CVE-2016-10206 BugTraq ID: 97114 http://www.securityfocus.com/bid/97114 Common Vulnerability Exposure (CVE) ID: CVE-2017-5367 BugTraq ID: 96120 http://www.securityfocus.com/bid/96120 Common Vulnerability Exposure (CVE) ID: CVE-2017-5368 BugTraq ID: 96126 http://www.securityfocus.com/bid/96126 Common Vulnerability Exposure (CVE) ID: CVE-2017-5595 BugTraq ID: 96125 http://www.securityfocus.com/bid/96125 https://github.com/ZoneMinder/ZoneMinder/commit/8b19fca9927cdec07cc9dd09bdcf2496a5ae69b3 Common Vulnerability Exposure (CVE) ID: CVE-2017-7203 BugTraq ID: 97001 http://www.securityfocus.com/bid/97001 |
| Copyright | Copyright (C) 2022 Greenbone AG |
| Esta es sólo una de 145615 pruebas de vulnerabilidad en nuestra serie de pruebas. Encuentre más sobre cómo ejecutar una auditoría de seguridad completa. Para ejecutar una prueba gratuita de esta vulnerabilidad contra su sistema, regístrese ahora. |