CVE-2022-30769 : Session fixation exists in ZoneMinder through 1.36.12 as an attacker can poison

Session fixation exists in ZoneMinder through 1.36.12 as an attacker can poison a session cookie to the next logged-in user.

Published 2022-11-15 22:15:12

Updated 2022-11-17 05:21:17

Source MITRE

View at NVD, CVE.org

Products affected by CVE-2022-30769

Zoneminder » Zoneminder
Versions up to, including, (<=) 1.36.12
cpe:2.3:a:zoneminder:zoneminder:*:*:*:*:*:*:*:*
Matching versions

EPSS FAQ

0.09%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 23 %

Percentile, the proportion of vulnerabilities that are scored at or less

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source	First Seen
4.6	MEDIUM	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N	2.1	2.5	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: Low User Interaction: Required Scope: Unchanged Confidentiality: Low Integrity: Low Availability: None

CWE-384 Session Fixation

Authenticating a user, or otherwise establishing a new user session, without invalidating any existing session identifier gives an attacker the opportunity to steal authenticated sessions.

Assigned by: nvd@nist.gov (Primary)

https://medium.com/@dk50u1/session-fixation-in-zoneminder-up-to-v1-36-12-3c850b1fbbf3

Session Fixation in Zoneminder up to v1.36.12 | by dk50u1 | Nov, 2022 | Medium
Exploit;Third Party Advisory
https://github.com/ZoneMinder/zoneminder/releases

Releases · ZoneMinder/zoneminder · GitHub
Third Party Advisory

CVEs referencing this url

Jump to