Exploits / Vulnerability Discovered : 2019-07-01 |
Type : webapps |
Platform : php
This exploit / vulnerability Zoneminder 1.32.3 crosssite scripting is for educational purposes only and if it is used you will do on your own risk!
ZoneMinder 1.32.3 contains a stored cross site scripting vulnerability in the 'Filters' page. The 'Name' field used to create a new filter is not being properly sanitized. This allows an authenticated user to inject arbitrary javascript code, which will later be executed once a user returns to the Filters page.
The following curl command injects an alert(1) payload into the vulnerable field. The javascript is executed once a user visits the 'Filters' page.