A stored-self XSS exists in web/skins/classic/views/controlcaps.php of ZoneMinder through 1.32.3, allowing an attacker to execute HTML or JavaScript code in a vulnerable field via a long NAME or PROTOCOL to the index.php?view=controlcaps URI.
{ "availability": "Available with Ubuntu Pro: https://ubuntu.com/pro", "ubuntu_priority": "medium", "binaries": [ { "binary_version": "1.29.0+dfsg-1ubuntu2+esm1", "binary_name": "zoneminder" }, { "binary_version": "1.29.0+dfsg-1ubuntu2+esm1", "binary_name": "zoneminder-dbg" }, { "binary_version": "1.29.0+dfsg-1ubuntu2+esm1", "binary_name": "zoneminder-dbgsym" }, { "binary_version": "1.29.0+dfsg-1ubuntu2+esm1", "binary_name": "zoneminder-doc" } ] }