Zoneminder: >> Zoneminder >> 1.26.4 Security Vulnerabilities
ZoneMinder before 1.36.13 allows remote code execution via an invalid language. Ability to create a debug log file at an arbitrary pathname contributes to exploitability.
CVSS Score
9.8
EPSS Score
0.771
Published
2022-04-26
ZoneMinder before 1.34.21 has XSS via the connkey parameter to download.php or export.php.
CVSS Score
6.1
EPSS Score
0.005
Published
2020-09-17
ZoneMinder through 1.32.3 has SQL Injection via the skins/classic/views/events.php filter[Query][terms][0][cnj] parameter.
CVSS Score
9.8
EPSS Score
0.003
Published
2019-02-18
ZoneMinder before 1.32.3 has SQL Injection via the ajax/status.php sort parameter.
CVSS Score
9.8
EPSS Score
0.003
Published
2019-02-18
includes/database.php in ZoneMinder before 1.32.3 has XSS in the construction of SQL-ERR messages.
CVSS Score
6.1
EPSS Score
0.003
Published
2019-02-18
skins/classic/views/controlcap.php in ZoneMinder before 1.32.3 has XSS via the newControl array, as demonstrated by the newControl[MinTiltRange] parameter.
CVSS Score
6.1
EPSS Score
0.003
Published
2019-02-18
daemonControl in includes/functions.php in ZoneMinder before 1.32.3 allows command injection via shell metacharacters.
CVSS Score
9.8
EPSS Score
0.03
Published
2019-02-18
ZoneMinder before 1.32.3 has SQL Injection via the skins/classic/views/control.php groupSql parameter, as demonstrated by a newGroup[MonitorIds][] value.
CVSS Score
9.8
EPSS Score
0.003
Published
2019-02-18
ZoneMinder before 1.32.3 has SQL Injection via the ajax/status.php filter[Query][terms][0][cnj] parameter.
CVSS Score
9.8
EPSS Score
0.003
Published
2019-02-18
POST - Cross Site Scripting (XSS) exists in ZoneMinder through 1.32.3, allowing an attacker to execute HTML or JavaScript code via a vulnerable 'filter[Query][terms][0][val]' parameter value in the view filter (filter.php) because proper filtration is omitted.
CVSS Score
6.1
EPSS Score
0.004
Published
2019-02-04