 |
Home ▼ Bookkeeping
Online ▼ Security
Audits ▼
Managed
DNS ▼
About
Order
FAQ
Acceptable Use Policy
Dynamic DNS Clients
Configure Domains Dyanmic DNS Update Password Network
Monitor ▼
Enterprise Package
Advanced Package
Standard Package
Free Trial
FAQ
Price/Feature Summary
Order/Renew
Examples
Configure/Status Alert Profiles | ||
| Test ID: | 1.3.6.1.4.1.25623.1.1.10.2017.0162 |
| Category: | Mageia Linux Local Security Checks |
| Title: | Mageia: Security Advisory (MGASA-2017-0162) |
| Summary: | The remote host is missing an update for the 'perl-Sys-MemInfo, zoneminder' package(s) announced via the MGASA-2017-0162 advisory. |
| Description: | Summary: The remote host is missing an update for the 'perl-Sys-MemInfo, zoneminder' package(s) announced via the MGASA-2017-0162 advisory. Vulnerability Insight: This update fixes the following security issues: Information disclosure and authentication bypass vulnerability exists in the Apache HTTP Server configuration bundled with ZoneMinder v1.30 and v1.29, which allows a remote unauthenticated attacker to browse all directories in the web root, e.g., a remote unauthenticated attacker can view all CCTV images on the server via the /events URI. (CVE-2016-10140) Cross-site scripting (XSS) vulnerability in Zoneminder 1.30 and earlier allows remote attackers to inject arbitrary web script or HTML via the format parameter in a download log request to index.php. (CVE-2016-10201) Cross-site scripting (XSS) vulnerability in Zoneminder 1.30 and earlier allows remote attackers to inject arbitrary web script or HTML via the path info to index.php. (CVE-2016-10202) Cross-site scripting (XSS) vulnerability in Zoneminder 1.30 and earlier allows remote attackers to inject arbitrary web script or HTML via the name when creating a new monitor. (CVE-2016-10203) SQL injection vulnerability in Zoneminder 1.30 and earlier allows remote attackers to execute arbitrary SQL commands via the limit parameter in a log query request to index.php. (CVE-2016-10204) Session fixation vulnerability in Zoneminder 1.30 and earlier allows remote attackers to hijack web sessions via the ZMSESSID cookie. (CVE-2016-10205) Cross-site request forgery (CSRF) vulnerability in Zoneminder 1.30 and earlier allows remote attackers to hijack the authentication of users for requests that change passwords and possibly have unspecified other impact as demonstrated by a crafted user action request to index.php. (CVE-2016-10206) Multiple reflected XSS vulnerabilities exist within form and link input parameters of ZoneMinder v1.30 and v1.29, an open-source CCTV server web application, which allows a remote attacker to execute malicious scripts within an authenticated client's browser. The URL is /zm/index.php and sample parameters could include action=login&view=postlogin[XSS] view=console[XSS] view=groups[XSS] view=events&filter[terms][1][cnj]=and[XSS] view=events&filter%5Bterms%5D%5B1%5D%5Bcnj%5D=and[XSS] view=events&filter%5Bterms%5D%5B1%5D%5Bcnj%5D=[XSS]and view=events&limit=1%22%3E%3C/a%3E[XSS] (among others). (CVE-2017-5367) ZoneMinder v1.30 and v1.29, an open-source CCTV server web application, is vulnerable to CSRF (Cross Site Request Forgery) which allows a remote attack to make changes to the web application as the current logged in victim. If the victim visits a malicious web page, the attacker can silently and automatically create a new admin user within the web application for remote persistence and further attacks. The URL is /zm/index.php and sample parameters could include action=user uid=0 newUser[Username]=attacker1 newUser[Password]=Password1234 conf_password=Password1234 newUser[System]=Edit (among others). (CVE-2017-5368) A file disclosure and ... [Please see the references for more information on the vulnerabilities] Affected Software/OS: 'perl-Sys-MemInfo, zoneminder' package(s) on Mageia 5. Solution: Please install the updated package(s). CVSS Score: 7.5 CVSS Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P |
| Cross-Ref: |
Common Vulnerability Exposure (CVE) ID: CVE-2016-10140 BugTraq ID: 96849 http://www.securityfocus.com/bid/96849 http://seclists.org/bugtraq/2017/Feb/6 http://seclists.org/fulldisclosure/2017/Feb/11 Common Vulnerability Exposure (CVE) ID: CVE-2016-10201 https://www.foxmole.com/advisories/foxmole-2016-07-05.txt http://www.openwall.com/lists/oss-security/2017/02/05/1 Common Vulnerability Exposure (CVE) ID: CVE-2016-10202 Common Vulnerability Exposure (CVE) ID: CVE-2016-10203 BugTraq ID: 97122 http://www.securityfocus.com/bid/97122 Common Vulnerability Exposure (CVE) ID: CVE-2016-10204 Common Vulnerability Exposure (CVE) ID: CVE-2016-10205 BugTraq ID: 97116 http://www.securityfocus.com/bid/97116 Common Vulnerability Exposure (CVE) ID: CVE-2016-10206 BugTraq ID: 97114 http://www.securityfocus.com/bid/97114 Common Vulnerability Exposure (CVE) ID: CVE-2017-5367 BugTraq ID: 96120 http://www.securityfocus.com/bid/96120 Common Vulnerability Exposure (CVE) ID: CVE-2017-5368 BugTraq ID: 96126 http://www.securityfocus.com/bid/96126 Common Vulnerability Exposure (CVE) ID: CVE-2017-5595 BugTraq ID: 96125 http://www.securityfocus.com/bid/96125 https://github.com/ZoneMinder/ZoneMinder/commit/8b19fca9927cdec07cc9dd09bdcf2496a5ae69b3 Common Vulnerability Exposure (CVE) ID: CVE-2017-7203 BugTraq ID: 97001 http://www.securityfocus.com/bid/97001 |
| Copyright | Copyright (C) 2022 Greenbone AG |
| This is only one of 145615 vulnerability tests in our test suite. Find out more about running a complete security audit. To run a free test of this vulnerability against your system, register below. |