CVE-2023-26038

ZoneMinder is a free, open source Closed-circuit television software application for Linux which supports IP, USB and Analog cameras. Versions prior to 1.36.33 and 1.37.33 contain a Local File Inclusion Untrusted Search Path vulnerability via web/ajax/modal.php, where an arbitrary php file path c...

CVE-2022-30769

Session fixation exists in ZoneMinder through 1.36.12 as an attacker can poison a session cookie to the next logged-in user...

CVE-2022-30768

A Stored Cross Site Scripting XSS issue in ZoneMinder 1.36.12 allows an attacker to execute HTML or JavaScript code via the Username field when an Admin or non-Admin users that can see other users logged into the platform clicks on Logout. NOTE: this exists in later versions than CVE-2019-7348 an...

CVE-2022-29806

ZoneMinder before 1.36.13 allows remote code execution via an invalid language. Ability to create a debug log file at an arbitrary pathname contributes to exploitability...

CVE-2022-39291

ZoneMinder is a free, open source Closed-circuit television software application. Affected versions of zoneminder are subject to a vulnerability which allows users with "View" system permissions to inject new data into the logs stored by Zoneminder. This was observed through an HTTP POST request...

CVE-2020-25730

Cross Site Scripting XSS vulnerability in ZoneMinder before version 1.34.21, allows remote attackers execute arbitrary code, escalate privileges, and obtain sensitive information via PHPSELF component in classic/views/download.php...

CVE-2020-25729

ZoneMinder before 1.34.21 has XSS via the connkey parameter to download.php or export.php...

CVE-2013-0332

Multiple directory traversal vulnerabilities in ZoneMinder 1.24.x before 1.24.4 allow remote attackers to read arbitrary files via a .. dot dot in the 1 view, 2 request, or 3 action parameter...

CVE-2019-7345

Self - Stored Cross Site Scripting XSS exists in ZoneMinder through 1.32.3, as the view 'options' options.php does no input validation for the WEBTITLE, HOMEURL, HOMECONTENT, or WEBCONSOLEBANNER value, allowing an attacker to execute HTML or JavaScript code. This relates to functions.php...

CVE-2019-6990

A stored-self XSS exists in web/skins/classic/views/zones.php of ZoneMinder through 1.32.3, allowing an attacker to execute HTML or JavaScript code in a vulnerable field via a crafted Zone NAME to the index.php?view=zones=zoneImage∣=1 URI...

CVE-2019-6992

A stored-self XSS exists in web/skins/classic/views/controlcaps.php of ZoneMinder through 1.32.3, allowing an attacker to execute HTML or JavaScript code in a vulnerable field via a long NAME or PROTOCOL to the index.php?view=controlcaps URI...

CVE-2019-8425

includes/database.php in ZoneMinder before 1.32.3 has XSS in the construction of SQL-ERR messages...

CVE-2019-8426

skins/classic/views/controlcap.php in ZoneMinder before 1.32.3 has XSS via the newControl array, as demonstrated by the newControlMinTiltRange parameter...

CVE-2019-8427

daemonControl in includes/functions.php in ZoneMinder before 1.32.3 allows command injection via shell metacharacters...

CVE-2019-8428

ZoneMinder before 1.32.3 has SQL Injection via the skins/classic/views/control.php groupSql parameter, as demonstrated by a newGroupMonitorIds value...

CVE-2019-7327

Reflected Cross Site Scripting XSS exists in ZoneMinder through 1.32.3, allowing an attacker to execute HTML or JavaScript code via a vulnerable 'scale' parameter value in the view frame frame.php because proper filtration is omitted...

CVE-2019-7337

Reflected Cross Site Scripting XSS exists in ZoneMinder through 1.32.3 as the view 'events' events.php insecurely displays the limit parameter value, without applying any proper output filtration. This issue exists because of the function sortHeader in functions.php, which insecurely returns the...

CVE-2019-7346

A CSRF check issue exists in ZoneMinder through 1.32.3 as whenever a CSRF check fails, a callback function is called displaying a "Try again" button, which allows resending the failed request, making the CSRF attack successful...

CVE-2019-6991

A classic Stack-based buffer overflow exists in the zmLoadUser function in zmuser.cpp of the zmu binary in ZoneMinder through 1.32.3, allowing an unauthenticated attacker to execute code via a long username...

CVE-2019-8423

ZoneMinder through 1.32.3 has SQL Injection via the skins/classic/views/events.php filterQueryterms0cnj parameter...