Package: zoneminder Severity: grave Tags: security Justification: user security hole
Hi, the following CVE (Common Vulnerabilities & Exposures) ids were published for zoneminder. CVE-2008-3882[0]: | ZoneMinder 1.23.3 and earlier allows remote attackers to execute | arbitrary commands (aka "Command Injection") via (1) the executeFilter | function in zm_html_view_events.php and (2) the run_state parameter to | zm_html_view_state.php. CVE-2008-3881[1]: | Multiple cross-site scripting (XSS) vulnerabilities in ZoneMinder | 1.23.3 and earlier allow remote attackers to inject arbitrary web | script or HTML via unspecified parameters to unspecified | "zm_html_view_*.php" files. CVE-2008-3880[2]: | SQL injection vulnerability in zm_html_view_event.php in ZoneMinder | 1.23.3 and earlier allows remote attackers to execute arbitrary SQL | commands via the filter array parameter. Another security report including all the vulnerabilities can be found here[3]. If you fix the vulnerabilities please also make sure to include the CVE ids in your changelog entry. [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3882 http://security-tracker.debian.net/tracker/CVE-2008-3882 [1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3881 http://security-tracker.debian.net/tracker/CVE-2008-3881 [2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3880 http://security-tracker.debian.net/tracker/CVE-2008-3880 [3] http://www.securityfocus.com/archive/1/archive/1/495745/100/0/threaded Cheers Steffen -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
