CVE-2016-10205 : Session fixation vulnerability in Zoneminder 1.30 and earlier allows remote atta

Session fixation vulnerability in Zoneminder 1.30 and earlier allows remote attackers to hijack web sessions via the ZMSESSID cookie.

Published 2017-03-03 15:59:01

Updated 2017-03-29 01:59:01

Source MITRE

View at NVD, CVE.org

Products affected by CVE-2016-10205

Zoneminder » Zoneminder
Versions up to, including, (<=) 1.30.0
cpe:2.3:a:zoneminder:zoneminder:*:*:*:*:*:*:*:*
Matching versions

EPSS FAQ

0.74%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 71 %

Percentile, the proportion of vulnerabilities that are scored at or less

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
7.5	HIGH	AV:N/AC:L/Au:N/C:P/I:P/A:P	10.0	6.4	NIST
Access Vector: Network Access Complexity: Low Authentication: None Confidentiality Impact: Partial Integrity Impact: Partial Availability Impact: Partial
7.3	HIGH	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L	3.9	3.4	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: Low Integrity: Low Availability: Low

CWE-384 Session Fixation

Authenticating a user, or otherwise establishing a new user session, without invalidating any existing session identifier gives an attacker the opportunity to steal authenticated sessions.

Assigned by: nvd@nist.gov (Primary)

http://www.securityfocus.com/bid/97116

ZoneMinder CVE-2016-10205 Session Fixation Vulnerability
http://www.openwall.com/lists/oss-security/2017/02/05/1

oss-security - Re: [FOXMOLE SA 2016-07-05] ZoneMinder - Multiple Issues
Exploit;Mailing List

CVEs referencing this url
https://www.foxmole.com/advisories/foxmole-2016-07-05.txt

Startseite
Exploit;Third Party Advisory

CVEs referencing this url

Jump to