CVE-2022-30768 Stored XSS flaw in ZoneMinder 1.36.12 allows Admin users to execute arbitrary HTML or JavaScript when they logout.

CVE-2022-30768 Stored XSS flaw in ZoneMinder 1.36.12 allows Admin users to execute arbitrary HTML or JavaScript when they logout.

This XSS can be exploited by an attacker when they: Have a specific username and password combination and are logged into the system. An Admin that has logged into the system and has the ability to see other users’ usernames. A user with a specific username and password combination that can see other users’ usernames. An attacker can take advantage of this XSS in the following ways: By posting a message in the system that reveals information about the user. For example, posting a message that reveals the name of another user. By posting a message that reveals information about the system. For example, posting a message that reveals what CPU capacity the system has. By posting a message that reveals information about the system that can be used to access the system. For example, posting a message that reveals what IP camera the system has access to. By posting a message that reveals information about the system. By posting a message that reveals information about the system that can be used to access the system. By posting a message that reveals information about the system that can be used to access the system. By posting a message that reveals information about the system that can be used to access the system. By posting a message that reveals information about the system that can be used to access the system. By posting a message that reveals information about the system that can be used to access the system

Vulnerability discovery and implications

A vulnerability of this type is usually found during the development phase. This can be because the developers may not have corrected a security flaw that was discovered in one of their previous projects. The vulnerability may also be found when users are testing the system, because they can access information that should not be accessible to them. The most common instance where this vulnerability is exploited is when someone with a specific username and password combination takes advantage of it by posting a message in the system that reveals information about the user.
Vulnerabilities like these can lead to a variety of outcomes, such as:
Unauthorized access to data through information disclosure or modification
Unauthorized access to system resources
Denial of service (DoS) attacks
Data leakage

References

Subscribe to CVE.news
Don’t miss out on the latest issues. Sign up now to get access to the library of members-only issues.
jamie@example.com
Subscribe