Alpine: multiple zoneminder packages: security update to 1.36.31-r0

high Tenable Self-Hosted Container Security Plugin ID 427034

Description

There are packages installed that are affected by multiple vulnerabilities referenced in the following CVEs:

- ZoneMinder is a free, open source Closed-circuit television software application The file parameter is
vulnerable to a cross site scripting vulnerability (XSS) by backing out of the current "tr" "td" brackets.
This then allows a malicious user to provide code that will execute when a user views the specific log on
the "view=log" page. This vulnerability allows an attacker to store code within the logs that will be
executed when loaded by a legitimate user. These actions will be performed with the permission of the
victim. This could lead to data loss and/or further exploitation including account takeover. This issue
has been addressed in versions `1.36.27` and `1.37.24`. Users are advised to upgrade. Users unable to
upgrade should disable database logging. (CVE-2022-39285)

- ZoneMinder is a free, open source Closed-circuit television software application. In affected versions the
ZoneMinder API Exposes Database Log contents to user without privileges, allows insertion, modification,
deletion of logs without System Privileges. Users are advised yo upgrade as soon as possible. Users unable
to upgrade should disable database logging. (CVE-2022-39289)

- ZoneMinder is a free, open source Closed-circuit television software application. In affected versions
authenticated users can bypass CSRF keys by modifying the request supplied to the Zoneminder web
application. These modifications include replacing HTTP POST with an HTTP GET and removing the CSRF key
from the request. An attacker can take advantage of this by using an HTTP GET request to perform actions
with no CSRF protection. This could allow an attacker to cause an authenticated user to perform unexpected
actions on the web application. Users are advised to upgrade as soon as possible. There are no known
workarounds for this issue. (CVE-2022-39290)

- ZoneMinder is a free, open source Closed-circuit television software application. Affected versions of
zoneminder are subject to a vulnerability which allows users with "View" system permissions to inject new
data into the logs stored by Zoneminder. This was observed through an HTTP POST request containing log
information to the "/zm/index.php" endpoint. Submission is not rate controlled and could affect database
performance and/or consume all storage resources. Users are advised to upgrade. There are no known
workarounds for this issue. (CVE-2022-39291)

See Also

https://security.alpinelinux.org/vuln/CVE-2022-39285

https://security.alpinelinux.org/vuln/CVE-2022-39289

https://security.alpinelinux.org/vuln/CVE-2022-39290

https://security.alpinelinux.org/vuln/CVE-2022-39291

Plugin Details

Severity: High

ID: 427034

Version: Revision 1.5

Type: Local

Published: 5/16/2025

Updated: 7/2/2026

Supported Sensors: Agentless Assessment, Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 4.1

Percentile: 52.96

CVSS v2

Risk Factor: High

Base Score: 7.8

Temporal Score: 6.1

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:C/A:N

CVSS Score Source: CVE-2022-39290

CVSS v3

Risk Factor: High

Base Score: 7.5

Temporal Score: 6.7

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

CVSS Score Source: CVE-2022-39289

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Vulnerability Publication Date: 10/7/2022

Reference Information

CVE: CVE-2022-39285, CVE-2022-39289, CVE-2022-39290, CVE-2022-39291