Candidate: CVE-2019-7337
PublicDate: 2019-02-04 19:29:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-7337
 https://github.com/ZoneMinder/zoneminder/issues/2456
Description:
 Reflected Cross Site Scripting (XSS) exists in ZoneMinder through 1.32.3 as
 the view 'events' (events.php) insecurely displays the limit parameter
 value, without applying any proper output filtration. This issue exists
 because of the function sortHeader() in functions.php, which insecurely
 returns the value of the limit query string parameter without applying any
 filtration.
Ubuntu-Description:
Notes:
Bugs:
Priority: medium
Discovered-by:
Assigned-to:
CVSS:
 nvd: CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N [4.8 MEDIUM]


Patches_zoneminder:
 upstream: https://github.com/ZoneMinder/zoneminder/commit/fcbc22b6a27b2375327327c3d75995fe6a3cafd9
upstream_zoneminder: needs-triage
precise/esm_zoneminder: DNE
trusty_zoneminder: ignored (reached end-of-life)
trusty/esm_zoneminder: DNE (trusty was needs-triage)
xenial_zoneminder: ignored (end of standard support, was needed)
bionic_zoneminder: DNE
cosmic_zoneminder: ignored (reached end-of-life)
disco_zoneminder: ignored (reached end-of-life)
eoan_zoneminder: ignored (reached end-of-life)
focal_zoneminder: needed
groovy_zoneminder: ignored (reached end-of-life)
hirsute_zoneminder: ignored (reached end-of-life)
impish_zoneminder: needed
jammy_zoneminder: needed
devel_zoneminder: needed