Re: [FOXMOLE SA 2016-07-05] ZoneMinder - Multiple Issues

[<cve-assign () mitre org>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

> https://www.foxmole.com/advisories/foxmole-2016-07-05.txt
> The following findings are only examples there are quite more.

> 1)Cross Site Scripting (XSS)

> [] index.php?view=request&
> request=log&
> task=download&
> key=a9fef1f4&
> format=[XSS]

Use CVE-2016-10201.


> [] index.php/[XSS]

Use CVE-2016-10202.


> [] Creating a new monitor using [XSS in] the name

Use CVE-2016-10203.


> [] 2)SQL Injection
> Parameter: limit (POST)

Use CVE-2016-10204.


> [] 3)Session Fixation
> After a successful authentication the Session Cookie ZMSESSID remains the same.

Use CVE-2016-10205.


> [] 4)No CSRF Protection
> A possible CSRF attack form, which changes the password of the admin

Use CVE-2016-10206.


- -- 
CVE Assignment Team
M/S M300, 202 Burlington Road, Bedford, MA 01730 USA
[ A PGP key is available for encrypted communications at
  http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJYlo37AAoJEHb/MwWLVhi2nWEP/219hKMVosSqRw9bj9SbRjbL
bRGYYuYjwbE7/JWLFL0o0IdjoO3Rndkwg39SAn4Bf92ZbSk+mrTLDHyM+sOI0JBD
5m9/yE1Oh/Nnlw0dwNSL74Qo1LeHlj6Dq1WbALwQy+Nr46PYrKTeK2RyOFtX2mXF
ogzDiPv6vzkRaAp90T5eVkTLUm6WUhvo0lsE0w2B5iJLDXZ9JWyCyRiagJhwTqCa
pRfvRG/0k6rar7lsyxVVC1LhAAhKiJUo7ZKH+3RAcvd+0S0FOWUH2SEhiDpqvnQS
WAx8Y/iE6Ijuymlmd0U+CeEg3dIpnqFu6haof/m+g5pNFXJlQbnElwW80rH2b56n
rhG8xNx+hd9tUKqtfTIX+T4dXkGcWEe5A9dqBN6BNmzNXWJ6tmSuFyGTDfsyMWxH
ima3jgZVmoIYlVxfUXNrUMetsdD1nDr1bGFsecN+WV8JaTf9lo1vEum1NHMr4ruC
hxFmDVGsmxJa2VEmqcRrAGs6JYvJKiQT0gu7y8g2EeYzRiprdlh9sLaPnG9aXgQa
M+OD0M2tgcc4hFCbS65jxyf8NmaIKBR2UuApkDQxIO4uv7neuIuBvJr16STE2baZ
jkWbYAtZDyXtJ5Vs5+Nb6IhdYcq6eW6/2qfz7AI48cSZHWop6l8o6q01VkgrLU/h
0pxDmijjxjLENgyn6Mg0
=jw7Y
-----END PGP SIGNATURE-----