Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Sat, 4 Feb 2017 21:32:29 -0500
From: <cve-assign@...re.org>
To: <advisories@...mole.com>
CC: <cve-assign@...re.org>, <oss-security@...ts.openwall.com>
Subject: Re: [FOXMOLE SA 2016-07-05] ZoneMinder - Multiple Issues

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

> https://www.foxmole.com/advisories/foxmole-2016-07-05.txt
> The following findings are only examples there are quite more.

> 1)Cross Site Scripting (XSS)

> [] index.php?view=request&
> request=log&
> task=download&
> key=a9fef1f4&
> format=[XSS]

Use CVE-2016-10201.


> [] index.php/[XSS]

Use CVE-2016-10202.


> [] Creating a new monitor using [XSS in] the name

Use CVE-2016-10203.


> [] 2)SQL Injection
> Parameter: limit (POST)

Use CVE-2016-10204.


> [] 3)Session Fixation
> After a successful authentication the Session Cookie ZMSESSID remains the same.

Use CVE-2016-10205.


> [] 4)No CSRF Protection
> A possible CSRF attack form, which changes the password of the admin

Use CVE-2016-10206.


- -- 
CVE Assignment Team
M/S M300, 202 Burlington Road, Bedford, MA 01730 USA
[ A PGP key is available for encrypted communications at
  http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJYlo37AAoJEHb/MwWLVhi2nWEP/219hKMVosSqRw9bj9SbRjbL
bRGYYuYjwbE7/JWLFL0o0IdjoO3Rndkwg39SAn4Bf92ZbSk+mrTLDHyM+sOI0JBD
5m9/yE1Oh/Nnlw0dwNSL74Qo1LeHlj6Dq1WbALwQy+Nr46PYrKTeK2RyOFtX2mXF
ogzDiPv6vzkRaAp90T5eVkTLUm6WUhvo0lsE0w2B5iJLDXZ9JWyCyRiagJhwTqCa
pRfvRG/0k6rar7lsyxVVC1LhAAhKiJUo7ZKH+3RAcvd+0S0FOWUH2SEhiDpqvnQS
WAx8Y/iE6Ijuymlmd0U+CeEg3dIpnqFu6haof/m+g5pNFXJlQbnElwW80rH2b56n
rhG8xNx+hd9tUKqtfTIX+T4dXkGcWEe5A9dqBN6BNmzNXWJ6tmSuFyGTDfsyMWxH
ima3jgZVmoIYlVxfUXNrUMetsdD1nDr1bGFsecN+WV8JaTf9lo1vEum1NHMr4ruC
hxFmDVGsmxJa2VEmqcRrAGs6JYvJKiQT0gu7y8g2EeYzRiprdlh9sLaPnG9aXgQa
M+OD0M2tgcc4hFCbS65jxyf8NmaIKBR2UuApkDQxIO4uv7neuIuBvJr16STE2baZ
jkWbYAtZDyXtJ5Vs5+Nb6IhdYcq6eW6/2qfz7AI48cSZHWop6l8o6q01VkgrLU/h
0pxDmijjxjLENgyn6Mg0
=jw7Y
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.