Filtered by vendor Zoneminder
Subscriptions
Total
83 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2008-3881 | 1 Zoneminder | 1 Zoneminder | 2025-04-09 | N/A |
| Multiple cross-site scripting (XSS) vulnerabilities in ZoneMinder 1.23.3 and earlier allow remote attackers to inject arbitrary web script or HTML via unspecified "zm_html_view_*.php" files. | ||||
| CVE-2008-3882 | 1 Zoneminder | 1 Zoneminder | 2025-04-09 | N/A |
| Unspecified "Command Injection" vulnerability in ZoneMinder 1.23.3 and earlier allows remote attackers to execute arbitrary commands via (1) the executeFilter function in zm_html_view_events.php and (2) the run_state parameter to zm_html_view_state.php. | ||||
| CVE-2008-1381 | 1 Zoneminder | 1 Zoneminder | 2025-04-09 | N/A |
| ZoneMinder before 1.23.3 allows remote authenticated users, and possibly unauthenticated attackers in some installations, to execute arbitrary commands via shell metacharacters in a crafted URL. | ||||
| CVE-2023-25825 | 1 Zoneminder | 1 Zoneminder | 2025-03-10 | 7.7 High |
| ZoneMinder is a free, open source Closed-circuit television software application for Linux which supports IP, USB and Analog cameras. Versions prior to 1.36.33 are vulnerable to Cross-site Scripting. Log entries can be injected into the database logs, containing a malicious referrer field. This is unescaped when viewing the logs in the web ui. This issue is patched in version 1.36.33. | ||||
| CVE-2023-26032 | 1 Zoneminder | 1 Zoneminder | 2025-03-10 | 8.9 High |
| ZoneMinder is a free, open source Closed-circuit television software application for Linux which supports IP, USB and Analog cameras. Versions prior to 1.36.33 and 1.37.33 contain SQL Injection via malicious jason web token. The Username field of the JWT token was trusted when performing an SQL query to load the user. If an attacker could determine the HASH key used by ZoneMinder, they could generate a malicious JWT token and use it to execute arbitrary SQL. This issue is fixed in versions 1.36.33 and 1.37.33. | ||||
| CVE-2023-26034 | 1 Zoneminder | 1 Zoneminder | 2025-03-10 | 9.6 Critical |
| ZoneMinder is a free, open source Closed-circuit television software application for Linux which supports IP, USB and Analog cameras. Versions prior to 1.36.33 and 1.37.33 are affected by a SQL Injection vulnerability. The (blind) SQL Injection vulnerability is present within the `filter[Query][terms][0][attr]` query string parameter of the `/zm/index.php` endpoint. A user with the View or Edit permissions of Events may execute arbitrary SQL. The resulting impact can include unauthorized data access (and modification), authentication and/or authorization bypass, and remote code execution. | ||||
| CVE-2023-26036 | 1 Zoneminder | 1 Zoneminder | 2025-03-10 | 8.1 High |
| ZoneMinder is a free, open source Closed-circuit television software application for Linux which supports IP, USB and Analog cameras. Versions prior to 1.36.33 and 1.37.33 contain a Local File Inclusion (Untrusted Search Path) vulnerability via /web/index.php. By controlling $view, any local file ending in .php can be executed. This is supposed to be mitigated by calling detaintPath, however dentaintPath does not properly sandbox the path. This can be exploited by constructing paths like "..././", which get replaced by "../". This issue is patched in versions 1.36.33 and 1.37.33. | ||||
| CVE-2023-26037 | 1 Zoneminder | 1 Zoneminder | 2025-03-10 | 8.9 High |
| ZoneMinder is a free, open source Closed-circuit television software application for Linux which supports IP, USB and Analog cameras. Versions prior to 1.36.33 and 1.37.33 contain an SQL Injection. The minTime and maxTime request parameters are not properly validated and could be used execute arbitrary SQL. This issue is fixed in versions 1.36.33 and 1.37.33. | ||||
| CVE-2023-26038 | 1 Zoneminder | 1 Zoneminder | 2025-03-10 | 5.4 Medium |
| ZoneMinder is a free, open source Closed-circuit television software application for Linux which supports IP, USB and Analog cameras. Versions prior to 1.36.33 and 1.37.33 contain a Local File Inclusion (Untrusted Search Path) vulnerability via web/ajax/modal.php, where an arbitrary php file path can be passed in the request and loaded. This issue is patched in versions 1.36.33 and 1.37.33. | ||||
| CVE-2023-26039 | 1 Zoneminder | 1 Zoneminder | 2025-03-10 | 7.1 High |
| ZoneMinder is a free, open source Closed-circuit television software application for Linux which supports IP, USB and Analog cameras. Versions prior to 1.36.33 and 1.37.33 contain an OS Command Injection via daemonControl() in (/web/api/app/Controller/HostController.php). Any authenticated user can construct an api command to execute any shell command as the web user. This issue is patched in versions 1.36.33 and 1.37.33. | ||||
| CVE-2023-26035 | 1 Zoneminder | 1 Zoneminder | 2025-02-13 | 7.2 High |
| ZoneMinder is a free, open source Closed-circuit television software application for Linux which supports IP, USB and Analog cameras. Versions prior to 1.36.33 and 1.37.33 are vulnerable to Unauthenticated Remote Code Execution via Missing Authorization. There are no permissions check on the snapshot action, which expects an id to fetch an existing monitor but can be passed an object to create a new one instead. TriggerOn ends up calling shell_exec using the supplied Id. This issue is fixed in This issue is fixed in versions 1.36.33 and 1.37.33. | ||||
| CVE-2022-30769 | 1 Zoneminder | 1 Zoneminder | 2024-11-21 | 4.6 Medium |
| Session fixation exists in ZoneMinder through 1.36.12 as an attacker can poison a session cookie to the next logged-in user. | ||||
| CVE-2022-30768 | 1 Zoneminder | 1 Zoneminder | 2024-11-21 | 5.4 Medium |
| A Stored Cross Site Scripting (XSS) issue in ZoneMinder 1.36.12 allows an attacker to execute HTML or JavaScript code via the Username field when an Admin (or non-Admin users that can see other users logged into the platform) clicks on Logout. NOTE: this exists in later versions than CVE-2019-7348 and requires a different attack method. | ||||
| CVE-2022-29806 | 1 Zoneminder | 1 Zoneminder | 2024-11-21 | 9.8 Critical |
| ZoneMinder before 1.36.13 allows remote code execution via an invalid language. Ability to create a debug log file at an arbitrary pathname contributes to exploitability. | ||||
| CVE-2020-25729 | 1 Zoneminder | 1 Zoneminder | 2024-11-21 | 6.1 Medium |
| ZoneMinder before 1.34.21 has XSS via the connkey parameter to download.php or export.php. | ||||
| CVE-2019-8429 | 1 Zoneminder | 1 Zoneminder | 2024-11-21 | N/A |
| ZoneMinder before 1.32.3 has SQL Injection via the ajax/status.php filter[Query][terms][0][cnj] parameter. | ||||
| CVE-2019-8428 | 1 Zoneminder | 1 Zoneminder | 2024-11-21 | N/A |
| ZoneMinder before 1.32.3 has SQL Injection via the skins/classic/views/control.php groupSql parameter, as demonstrated by a newGroup[MonitorIds][] value. | ||||
| CVE-2019-8427 | 1 Zoneminder | 1 Zoneminder | 2024-11-21 | N/A |
| daemonControl in includes/functions.php in ZoneMinder before 1.32.3 allows command injection via shell metacharacters. | ||||
| CVE-2019-8426 | 1 Zoneminder | 1 Zoneminder | 2024-11-21 | N/A |
| skins/classic/views/controlcap.php in ZoneMinder before 1.32.3 has XSS via the newControl array, as demonstrated by the newControl[MinTiltRange] parameter. | ||||
| CVE-2019-8425 | 1 Zoneminder | 1 Zoneminder | 2024-11-21 | N/A |
| includes/database.php in ZoneMinder before 1.32.3 has XSS in the construction of SQL-ERR messages. | ||||