CVE-2019-7346

CVE-2019-7346 corresponds to a ZoneMinder CSRF issue affecting versions up to 1.32.3. The vulnerability stems from a CSRF check failure that triggers a callback displaying a “Try again” button, which can be used to resend the failed request and makes the CSRF attack successful. Sources across mul...

CVE-2019-7327

CVE-2019-7327 affects ZoneMinder up to version 1.32.3. The issue is a reflected Cross‑Site Scripting (XSS) vulnerability triggered by the vulnerable scale parameter in the frame view (frame.php), due to improper filtration. The documented impact is that an attacker can execute arbitrary HTML or J...

CVE-2019-7325

Reflected Cross Site Scripting XSS exists in ZoneMinder through 1.32.3, as multiple views under web/skins/classic/views insecurely utilize $REQUEST'PHPSELF', without applying any proper filtration...

CVE-2019-7335

Self - Stored XSS exists in ZoneMinder through 1.32.3, allowing an attacker to execute HTML or JavaScript code in the view 'log' as it insecurely prints the 'Log Message' value on the web page without applying any proper filtration. This relates to the view=logs value...

CVE-2019-7331

Self - Stored Cross Site Scripting XSS exists in ZoneMinder through 1.32.3 while editing an existing monitor field named "signal check color" monitor.php. There exists no input validation or output filtration, leaving it vulnerable to HTML Injection and an XSS attack...

CVE-2019-7342

ZoneMinder ≤ 1.32.3 is affected by a Cross-Site Scripting (XSS) vulnerability in the view filter (filter.php). The issue stems from improper filtration of the filter[AutoExecuteCmd] parameter, allowing an attacker to inject HTML or JavaScript. Impact is attacker-controlled code execution in the b...

CVE-2019-7333

CVE-2019-7333 : Reflected XSS in ZoneMinder up to version 1.32.3. The issue arises in the view_download (download.php) via the Exportfile parameter, where input is not properly filtered. Exploitation details are not provided in the supplied documents. No patch/version remediation is specified her...

CVE-2019-7347

The CVE-2019-7347 entry concerns ZoneMinder up to version 1.32.3, where a TOCTOU race condition allows a user session to remain active after deletion from the users table. This enables a nonexistent user to access and modify records (e.g., adding/deleting Monitors or Users). The connected documen...

CVE-2019-7349

Reflected Cross Site Scripting XSS exists in ZoneMinder through 1.32.3, allowing an attacker to execute HTML or JavaScript code via a vulnerable 'newMonitorV4LCapturesPerFrame' parameter value in the view monitor monitor.php because proper filtration is omitted...

CVE-2019-7348

ZoneMinder

CVE-2019-7331

Self - Stored Cross Site Scripting XSS exists in ZoneMinder through 1.32.3 while editing an existing monitor field named "signal check color" monitor.php. There exists no input validation or output filtration, leaving it vulnerable to HTML Injection and an XSS attack...

CVE-2019-7346

A CSRF check issue exists in ZoneMinder through 1.32.3 as whenever a CSRF check fails, a callback function is called displaying a "Try again" button, which allows resending the failed request, making the CSRF attack successful...

CVE-2019-7337

Reflected Cross Site Scripting XSS exists in ZoneMinder through 1.32.3 as the view 'events' events.php insecurely displays the limit parameter value, without applying any proper output filtration. This issue exists because of the function sortHeader in functions.php, which insecurely returns the...

CVE-2019-7349

Reflected Cross Site Scripting XSS exists in ZoneMinder through 1.32.3, allowing an attacker to execute HTML or JavaScript code via a vulnerable 'newMonitorV4LCapturesPerFrame' parameter value in the view monitor monitor.php because proper filtration is omitted...

CVE-2019-7326

Self - Stored Cross Site Scripting XSS exists in ZoneMinder through 1.32.3, allowing an attacker to execute HTML or JavaScript code via a vulnerable 'Host' parameter value in the view console console.php because proper filtration is omitted. This relates to the index.php?view=monitor Host Name...

CVE-2019-7341

Reflected - Cross Site Scripting XSS exists in ZoneMinder through 1.32.3, allowing an attacker to execute HTML or JavaScript code via a vulnerable 'newMonitorLinkedMonitors' parameter value in the view monitor monitor.php because proper filtration is omitted...

CVE-2019-7345

Self - Stored Cross Site Scripting XSS exists in ZoneMinder through 1.32.3, as the view 'options' options.php does no input validation for the WEBTITLE, HOMEURL, HOMECONTENT, or WEBCONSOLEBANNER value, allowing an attacker to execute HTML or JavaScript code. This relates to functions.php...

CVE-2019-7342

POST - Cross Site Scripting XSS exists in ZoneMinder through 1.32.3, allowing an attacker to execute HTML or JavaScript code via a vulnerable 'filterAutoExecuteCmd' parameter value in the view filter filter.php because proper filtration is omitted...

CVE-2019-7329

CVE-2019-7329 is a reflected XSS in ZoneMinder up to version 1.32.3. The vulnerability arises because several form actions use $_SERVER['PHP_SELF'] without proper input filtration, allowing arbitrary input appended to the webroot URL to be reflected in the page. The connected OpenVAS and OSV entr...

CVE-2019-7339

CVE-2019-7339 is a ZoneMinder XSS vulnerability: ZoneMinder versions up to 1.32.3 allow remote execution of HTML/JavaScript via the vulnerable level parameter in log.php due to incomplete input filtration. The connected documents confirm the affected product (ZoneMinder), the vulnerable component...