Bug 1429952 (CVE-2016-10201, CVE-2016-10202, CVE-2016-10203, CVE-2016-10204, CVE-2016-10205, CVE-2016-10206, CVE-2017-7203)

Summary: CVE-2016-10201 CVE-2016-10202 CVE-2016-10203 CVE-2016-10204 CVE-2016-10205 CVE-2016-10206 CVE-2017-7203 zoneminder: Multiple security issues
Product: [Other] Security Response Reporter: Andrej Nemec <anemec>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED UPSTREAM QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: cra, fedora, zonexpertconsulting
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-08 03:08:49 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1429953    
Bug Blocks:    

Description Andrej Nemec 2017-03-07 15:02:18 UTC 
Multiple security vulnerabilities in zoneminder were reported.

CVE-2016-10201 - Cross-site scripting (XSS) vulnerability in Zoneminder 1.30 and earlier allows remote attackers to inject arbitrary web script or HTML via the format parameter in a download log request to index.php.

CVE-2016-10202 - Cross-site scripting (XSS) vulnerability in Zoneminder 1.30 and earlier allows remote attackers to inject arbitrary web script or HTML via the path info to index.php.

CVE-2016-10203 - Cross-site scripting (XSS) vulnerability in Zoneminder 1.30 and earlier allows remote attackers to inject arbitrary web script or HTML via the name when creating a new monitor.

CVE-2016-10204 - SQL injection vulnerability in Zoneminder 1.30 and earlier allows remote attackers to execute arbitrary SQL commands via the limit parameter in a log query request to index.php.

CVE-2016-10205 - Session fixation vulnerability in Zoneminder 1.30 and earlier allows remote attackers to hijack web sessions via the ZMSESSID cookie.

CVE-2016-10206 - Cross-site request forgery (CSRF) vulnerability in Zoneminder 1.30 and earlier allows remote attackers to hijack the authentication of users for requests that change passwords and possibly have unspecified other impact as demonstrated by a crafted user action request to index.php.

External References:

https://www.foxmole.com/advisories/foxmole-2016-07-05.txt
Comment 1 Andrej Nemec 2017-03-07 15:02:42 UTC 
Created zoneminder tracking bugs for this issue:

Affects: fedora-all [bug 1429953]
Comment 2 Andrej Nemec 2017-03-22 08:50:48 UTC 
CVE-2017-7203:

A Cross-Site Scripting (XSS) was discovered in ZoneMinder. The vulnerability exists due to insufficient filtration of user-supplied data (postLoginQuery) passed to the "ZoneMinder-master/web/skins/classic/views/js/postlogin.js.php" URL. An attacker could execute arbitrary HTML and script code in a browser in the context of the vulnerable website. 

References:

https://github.com/ZoneMinder/ZoneMinder/issues/1797
Comment 3 Product Security DevOps Team 2019-06-08 03:08:49 UTC 
This CVE Bugzilla entry is for community support informational purposes only as it does not affect a package in a commercially supported Red Hat product. Refer to the dependent bugs for status of those individual community products.