Zoneminder: Security Vulnerabilities
ZoneMinder before 1.36.13 allows remote code execution via an invalid language. Ability to create a debug log file at an arbitrary pathname contributes to exploitability.
CVSS Score
9.8
EPSS Score
0.872
Published
2022-04-26
ZoneMinder before 1.34.21 has XSS via the connkey parameter to download.php or export.php.
CVSS Score
6.1
EPSS Score
0.005
Published
2020-09-17
Stored XSS in the Filters page (Name field) in ZoneMinder 1.32.3 allows a malicious user to embed and execute JavaScript code in the browser of any user who navigates to this page.
CVSS Score
5.4
EPSS Score
0.003
Published
2019-06-30
ZoneMinder through 1.32.3 has SQL Injection via the skins/classic/views/events.php filter[Query][terms][0][cnj] parameter.
CVSS Score
9.8
EPSS Score
0.003
Published
2019-02-18
ZoneMinder before 1.32.3 has SQL Injection via the ajax/status.php sort parameter.
CVSS Score
9.8
EPSS Score
0.003
Published
2019-02-18
includes/database.php in ZoneMinder before 1.32.3 has XSS in the construction of SQL-ERR messages.
CVSS Score
6.1
EPSS Score
0.002
Published
2019-02-18
skins/classic/views/controlcap.php in ZoneMinder before 1.32.3 has XSS via the newControl array, as demonstrated by the newControl[MinTiltRange] parameter.
CVSS Score
6.1
EPSS Score
0.002
Published
2019-02-18
daemonControl in includes/functions.php in ZoneMinder before 1.32.3 allows command injection via shell metacharacters.
CVSS Score
9.8
EPSS Score
0.049
Published
2019-02-18
ZoneMinder before 1.32.3 has SQL Injection via the skins/classic/views/control.php groupSql parameter, as demonstrated by a newGroup[MonitorIds][] value.
CVSS Score
9.8
EPSS Score
0.003
Published
2019-02-18
ZoneMinder before 1.32.3 has SQL Injection via the ajax/status.php filter[Query][terms][0][cnj] parameter.
CVSS Score
9.8
EPSS Score
0.003
Published
2019-02-18