Zoneminder

zoneminder

Vendor: Zoneminder • 85 CVEs

CVEs (85)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2019-6992 1Zoneminder 1Zoneminder Nov 21, 2024 Jan 28, 2019 N/A· v4 6.1 MEDIUM· v3 4.3 MEDIUM· v2 A stored-self XSS exists in web/skins/classic/views/controlcaps.php of ZoneMinder through 1.32.3, allowing an attacker to execute HTML or JavaScript code in a vulnerable field via a long NAME or PROTOCOL to the index.php...Show more A stored-self XSS exists in web/skins/classic/views/controlcaps.php of ZoneMinder through 1.32.3, allowing an attacker to execute HTML or JavaScript code in a vulnerable field via a long NAME or PROTOCOL to the index.php?view=controlcaps URI.Show less
CVE-2019-6991 1Zoneminder 1Zoneminder Nov 21, 2024 Jan 28, 2019 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 A classic Stack-based buffer overflow exists in the zmLoadUser() function in zm_user.cpp of the zmu binary in ZoneMinder through 1.32.3, allowing an unauthenticated attacker to execute code via a long username.
CVE-2019-6990 1Zoneminder 1Zoneminder Nov 21, 2024 Jan 28, 2019 N/A· v4 5.4 MEDIUM· v3 3.5 LOW· v2 A stored-self XSS exists in web/skins/classic/views/zones.php of ZoneMinder through 1.32.3, allowing an attacker to execute HTML or JavaScript code in a vulnerable field via a crafted Zone NAME to the index.php?view=zone...Show more A stored-self XSS exists in web/skins/classic/views/zones.php of ZoneMinder through 1.32.3, allowing an attacker to execute HTML or JavaScript code in a vulnerable field via a crafted Zone NAME to the index.php?view=zones&action=zoneImage&mid=1 URI.Show less
CVE-2019-6777 1Zoneminder 1Zoneminder Nov 21, 2024 Jan 24, 2019 N/A· v4 6.1 MEDIUM· v3 4.3 MEDIUM· v2 An issue was discovered in ZoneMinder v1.32.3. Reflected XSS exists in web/skins/classic/views/plugin.php via the zm/index.php?view=plugin pl parameter.
CVE-2018-1000833 1Zoneminder 1Zoneminder Nov 21, 2024 Dec 20, 2018 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 ZoneMinder version <= 1.32.2 contains a Other/Unknown vulnerability in User-controlled parameter that can result in Disclosure of confidential data, denial of service, SSRF, remote code execution.
CVE-2018-1000832 1Zoneminder 1Zoneminder Nov 21, 2024 Dec 20, 2018 N/A· v4 9.8 CRITICAL· v3 10.0 HIGH· v2 ZoneMinder version <= 1.32.2 contains a Other/Unknown vulnerability in User-controlled parameter that can result in Disclosure of confidential data, denial of service, SSRF, remote code execution.
CVE-2017-7203 1Zoneminder 1Zoneminder May 13, 2026 Mar 21, 2017 N/A· v4 6.1 MEDIUM· v3 4.3 MEDIUM· v2 A Cross-Site Scripting (XSS) was discovered in ZoneMinder before 1.30.2. The vulnerability exists due to insufficient filtration of user-supplied data (postLoginQuery) passed to the "ZoneMinder-master/web/skins/classic/v...Show more A Cross-Site Scripting (XSS) was discovered in ZoneMinder before 1.30.2. The vulnerability exists due to insufficient filtration of user-supplied data (postLoginQuery) passed to the "ZoneMinder-master/web/skins/classic/views/js/postlogin.js.php" URL. An attacker could execute arbitrary HTML and script code in a browser in the context of the vulnerable website.Show less
CVE-2016-10206 1Zoneminder 1Zoneminder May 13, 2026 Mar 3, 2017 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 Cross-site request forgery (CSRF) vulnerability in Zoneminder 1.30 and earlier allows remote attackers to hijack the authentication of users for requests that change passwords and possibly have unspecified other impact a...Show more Cross-site request forgery (CSRF) vulnerability in Zoneminder 1.30 and earlier allows remote attackers to hijack the authentication of users for requests that change passwords and possibly have unspecified other impact as demonstrated by a crafted user action request to index.php.Show less
CVE-2016-10205 1Zoneminder 1Zoneminder May 13, 2026 Mar 3, 2017 N/A· v4 7.3 HIGH· v3 7.5 HIGH· v2 Session fixation vulnerability in Zoneminder 1.30 and earlier allows remote attackers to hijack web sessions via the ZMSESSID cookie.
CVE-2016-10204 1Zoneminder 1Zoneminder May 13, 2026 Mar 3, 2017 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 SQL injection vulnerability in Zoneminder 1.30 and earlier allows remote attackers to execute arbitrary SQL commands via the limit parameter in a log query request to index.php.
CVE-2016-10203 1Zoneminder 1Zoneminder May 13, 2026 Mar 3, 2017 N/A· v4 6.1 MEDIUM· v3 4.3 MEDIUM· v2 Cross-site scripting (XSS) vulnerability in Zoneminder 1.30 and earlier allows remote attackers to inject arbitrary web script or HTML via the name when creating a new monitor.
CVE-2016-10202 1Zoneminder 1Zoneminder May 13, 2026 Mar 3, 2017 N/A· v4 6.1 MEDIUM· v3 4.3 MEDIUM· v2 Cross-site scripting (XSS) vulnerability in Zoneminder 1.30 and earlier allows remote attackers to inject arbitrary web script or HTML via the path info to index.php.
CVE-2016-10201 1Zoneminder 1Zoneminder May 13, 2026 Mar 3, 2017 N/A· v4 6.1 MEDIUM· v3 4.3 MEDIUM· v2 Cross-site scripting (XSS) vulnerability in Zoneminder 1.30 and earlier allows remote attackers to inject arbitrary web script or HTML via the format parameter in a download log request to index.php.
CVE-2017-5595 1Zoneminder 1Zoneminder May 13, 2026 Feb 6, 2017 N/A· v4 5.5 MEDIUM· v3 2.1 LOW· v2 A file disclosure and inclusion vulnerability exists in web/views/file.php in ZoneMinder 1.x through v1.30.0 because of unfiltered user-input being passed to readfile(), which allows an authenticated attacker to read loc...Show more A file disclosure and inclusion vulnerability exists in web/views/file.php in ZoneMinder 1.x through v1.30.0 because of unfiltered user-input being passed to readfile(), which allows an authenticated attacker to read local system files (e.g., /etc/passwd) in the context of the web server user (www-data). The attack vector is a .. (dot dot) in the path parameter within a zm/index.php?view=file&path= request.Show less
CVE-2017-5368 1Zoneminder 1Zoneminder May 13, 2026 Feb 6, 2017 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 ZoneMinder v1.30 and v1.29, an open-source CCTV server web application, is vulnerable to CSRF (Cross Site Request Forgery) which allows a remote attack to make changes to the web application as the current logged in vict...Show more ZoneMinder v1.30 and v1.29, an open-source CCTV server web application, is vulnerable to CSRF (Cross Site Request Forgery) which allows a remote attack to make changes to the web application as the current logged in victim. If the victim visits a malicious web page, the attacker can silently and automatically create a new admin user within the web application for remote persistence and further attacks. The URL is /zm/index.php and sample parameters could include action=user uid=0 newUser[Username]=attacker1 newUser[Password]=Password1234 conf_password=Password1234 newUser[System]=Edit (among others).Show less
CVE-2017-5367 1Zoneminder 1Zoneminder May 13, 2026 Feb 6, 2017 N/A· v4 6.1 MEDIUM· v3 4.3 MEDIUM· v2 Multiple reflected XSS vulnerabilities exist within form and link input parameters of ZoneMinder v1.30 and v1.29, an open-source CCTV server web application, which allows a remote attacker to execute malicious scripts wi...Show more Multiple reflected XSS vulnerabilities exist within form and link input parameters of ZoneMinder v1.30 and v1.29, an open-source CCTV server web application, which allows a remote attacker to execute malicious scripts within an authenticated client's browser. The URL is /zm/index.php and sample parameters could include action=login&view=postlogin[XSS] view=console[XSS] view=groups[XSS] view=events&filter[terms][1][cnj]=and[XSS] view=events&filter%5Bterms%5D%5B1%5D%5Bcnj%5D=and[XSS] view=events&filter%5Bterms%5D%5B1%5D%5Bcnj%5D=[XSS]and view=events&limit=1%22%3E%3C/a%3E[XSS] (among others).Show less
CVE-2016-10140 1Zoneminder 1Zoneminder May 13, 2026 Jan 13, 2017 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 Information disclosure and authentication bypass vulnerability exists in the Apache HTTP Server configuration bundled with ZoneMinder v1.30 and v1.29, which allows a remote unauthenticated attacker to browse all director...Show more Information disclosure and authentication bypass vulnerability exists in the Apache HTTP Server configuration bundled with ZoneMinder v1.30 and v1.29, which allows a remote unauthenticated attacker to browse all directories in the web root, e.g., a remote unauthenticated attacker can view all CCTV images on the server via the /events URI.Show less
CVE-2013-0332 1Zoneminder 1Zoneminder Apr 29, 2026 Mar 20, 2013 N/A· v4 N/A· v3 5.0 MEDIUM· v2 Multiple directory traversal vulnerabilities in ZoneMinder 1.24.x before 1.24.4 allow remote attackers to read arbitrary files via a .. (dot dot) in the (1) view, (2) request, or (3) action parameter.
CVE-2013-0232 1Zoneminder 1Zoneminder Apr 29, 2026 Mar 20, 2013 N/A· v4 N/A· v3 7.5 HIGH· v2 includes/functions.php in ZoneMinder Video Server 1.24.0, 1.25.0, and earlier allows remote attackers to execute arbitrary commands via shell metacharacters in the (1) runState parameter in the packageControl function; o...Show more includes/functions.php in ZoneMinder Video Server 1.24.0, 1.25.0, and earlier allows remote attackers to execute arbitrary commands via shell metacharacters in the (1) runState parameter in the packageControl function; or (2) key or (3) command parameter in the setDeviceStatusX10 function.Show less
CVE-2008-6756 1Zoneminder 1Zoneminder Apr 23, 2026 Apr 27, 2009 N/A· v4 N/A· v3 2.1 LOW· v2 ZoneMinder 1.23.3 on Gentoo Linux uses 0644 permissions for /etc/zm.conf, which allows local users to obtain the database username and password by reading this file.

Previous 1 2 345 Next