Alpine: multiple zoneminder packages: security update to 1.36.7-r0

critical Tenable Self-Hosted Container Security Plugin ID 427121

Description

There are packages installed that are affected by multiple vulnerabilities referenced in the following CVEs:

- ZoneMinder through 1.32.3 has SQL Injection via the skins/classic/views/events.php
filter[Query][terms][0][cnj] parameter. (CVE-2019-8423)

- An issue was discovered in ZoneMinder v1.32.3. Reflected XSS exists in web/skins/classic/views/plugin.php
via the zm/index.php?view=plugin pl parameter. (CVE-2019-6777)

- A stored-self XSS exists in web/skins/classic/views/zones.php of ZoneMinder through 1.32.3, allowing an
attacker to execute HTML or JavaScript code in a vulnerable field via a crafted Zone NAME to the
index.php?view=zones&action=zoneImage&mid=1 URI. (CVE-2019-6990)

- A classic Stack-based buffer overflow exists in the zmLoadUser() function in zm_user.cpp of the zmu binary
in ZoneMinder through 1.32.3, allowing an unauthenticated attacker to execute code via a long username.
(CVE-2019-6991)

- A stored-self XSS exists in web/skins/classic/views/controlcaps.php of ZoneMinder through 1.32.3, allowing
an attacker to execute HTML or JavaScript code in a vulnerable field via a long NAME or PROTOCOL to the
index.php?view=controlcaps URI. (CVE-2019-6992)

See Also

https://security.alpinelinux.org/vuln/CVE-2019-13072

https://security.alpinelinux.org/vuln/CVE-2019-6777

https://security.alpinelinux.org/vuln/CVE-2019-6990

https://security.alpinelinux.org/vuln/CVE-2019-6991

https://security.alpinelinux.org/vuln/CVE-2019-6992

https://security.alpinelinux.org/vuln/CVE-2019-7325

https://security.alpinelinux.org/vuln/CVE-2019-7326

https://security.alpinelinux.org/vuln/CVE-2019-7327

https://security.alpinelinux.org/vuln/CVE-2019-7328

https://security.alpinelinux.org/vuln/CVE-2019-7329

https://security.alpinelinux.org/vuln/CVE-2019-7330

https://security.alpinelinux.org/vuln/CVE-2019-7331

https://security.alpinelinux.org/vuln/CVE-2019-7332

https://security.alpinelinux.org/vuln/CVE-2019-7333

https://security.alpinelinux.org/vuln/CVE-2019-7334

https://security.alpinelinux.org/vuln/CVE-2019-7335

https://security.alpinelinux.org/vuln/CVE-2019-7336

https://security.alpinelinux.org/vuln/CVE-2019-7337

https://security.alpinelinux.org/vuln/CVE-2019-7338

https://security.alpinelinux.org/vuln/CVE-2019-7339

https://security.alpinelinux.org/vuln/CVE-2019-7340

https://security.alpinelinux.org/vuln/CVE-2019-7341

https://security.alpinelinux.org/vuln/CVE-2019-7342

https://security.alpinelinux.org/vuln/CVE-2019-7343

https://security.alpinelinux.org/vuln/CVE-2019-7344

https://security.alpinelinux.org/vuln/CVE-2019-7345

https://security.alpinelinux.org/vuln/CVE-2019-7346

https://security.alpinelinux.org/vuln/CVE-2019-7347

https://security.alpinelinux.org/vuln/CVE-2019-7348

https://security.alpinelinux.org/vuln/CVE-2019-7349

https://security.alpinelinux.org/vuln/CVE-2019-7350

https://security.alpinelinux.org/vuln/CVE-2019-7351

https://security.alpinelinux.org/vuln/CVE-2019-7352

https://security.alpinelinux.org/vuln/CVE-2019-8423

https://security.alpinelinux.org/vuln/CVE-2020-25729

Plugin Details

Severity: Critical

ID: 427121

Version: Revision 1.2

Type: Local

Published: 5/16/2025

Updated: 5/30/2025

Supported Sensors: Agentless Assessment, Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 4.9

Percentile: 57.12

CVSS v2

Risk Factor: High

Base Score: 7.5

Temporal Score: 5.9

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS Score Source: CVE-2019-8423

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Temporal Score: 8.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Vulnerability Publication Date: 1/24/2019

Reference Information

CVE: CVE-2019-13072, CVE-2019-6777, CVE-2019-6990, CVE-2019-6991, CVE-2019-6992, CVE-2019-7325, CVE-2019-7326, CVE-2019-7327, CVE-2019-7328, CVE-2019-7329, CVE-2019-7330, CVE-2019-7331, CVE-2019-7332, CVE-2019-7333, CVE-2019-7334, CVE-2019-7335, CVE-2019-7336, CVE-2019-7337, CVE-2019-7338, CVE-2019-7339, CVE-2019-7340, CVE-2019-7341, CVE-2019-7342, CVE-2019-7343, CVE-2019-7344, CVE-2019-7345, CVE-2019-7346, CVE-2019-7347, CVE-2019-7348, CVE-2019-7349, CVE-2019-7350, CVE-2019-7351, CVE-2019-7352, CVE-2019-8423, CVE-2020-25729