Stored Cross Site Scripting - Filters

[joeylane]

• ZoneMinder version 1.32.3
• Installed from PPA (Ubuntu Xenial)
• Ubuntu 16.04 Xenial

The 'Filters' page in ZoneMinder 1.32.3 is vulnerable to stored cross site scripting due to improper input sanitation in the 'Name' field. This is the latest version available in the Ubuntu 16.04 PPA. Please see attached screenshots.

Steps to reproduce the behavior:

1. Go to the "Filters" page.
2. In the "Name" field paste in a javascript payload such as "<script>alert('Vulnerable')</script>"
3. Refresh the page to verify that the payload executes and remains stored through browser sessions.

Expected behavior:
The user input fields should be sanitized. Special characters should be limited or escaped to prevent injection of malicious code.

[welcome]

Thanks for opening your first issue here! Just a reminder, this forum is for Bug Reports only. Be sure to follow the issue template!

[connortechnology]

This has already been fixed in master.

[rakeshsv]

This has already been fixed in master

Please can you give commit #

[tamir-ben]

This has already been fixed in master.

Can we get a commit please?

[SteveGilvarry]

Do you one better the original issue and closing commit. #2455