CVE-2019-7350

Session fixation exists in ZoneMinder through 1.32.3, as an attacker can fixate his own session cookies to the next logged-in user, thereby hijacking the victim's account. This occurs because a set of multiple cookies (between 3 and 5) is being generated when a user successfully logs in, and these sets overlap for successive logins.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
7.3 HIGH
NETWORK
LOW
LOW
CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N
mitreCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 53%
VendorProductVersion
zoneminderzoneminder
𝑥
≤ 1.32.3
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
zoneminder
bullseye
unimportant
bookworm
unimportant
sid
unimportant
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
zoneminder
noble
needed
mantic
ignored
lunar
ignored
kinetic
ignored
jammy
needed
impish
ignored
hirsute
ignored
groovy
ignored
focal
needed
eoan
ignored
disco
ignored
cosmic
ignored
bionic
dne
xenial
needed
trusty
dne
Common Weakness Enumeration
References
https://github.com/ZoneMinder/zoneminder/issues/2471
https://github.com/ZoneMinder/zoneminder/issues/2471