Zoneminder Security Vulnerabilities and Issues — Zoneminder CVE List

Lucene search

ZoneminderZoneminder

10 matches found

CVE•added 2017/01/13 9:59 a.m.•88 views

CVE-2016-10140

Information disclosure and authentication bypass vulnerability exists in the Apache HTTP Server configuration bundled with ZoneMinder v1.30 and v1.29, which allows a remote unauthenticated attacker to browse all directories in the web root, e.g., a remote unauthenticated attacker can view all CCTV ...

7.5CVSS7.5AI score0.34266EPSS

CVE•added 2019/02/04 7:29 p.m.•73 views

CVE-2019-7350

Session fixation exists in ZoneMinder through 1.32.3, as an attacker can fixate his own session cookies to the next logged-in user, thereby hijacking the victim's account. This occurs because a set of multiple cookies (between 3 and 5) is being generated when a user successfully logs in, and these ...

7.3CVSS7.2AI score0.00313EPSS

CVE•added 2013/03/20 3:55 p.m.•71 views

CVE-2013-0232

includes/functions.php in ZoneMinder Video Server 1.24.0, 1.25.0, and earlier allows remote attackers to execute arbitrary commands via shell metacharacters in the (1) runState parameter in the packageControl function; or (2) key or (3) command parameter in the setDeviceStatusX10 function.

7.5CVSS7.7AI score0.7823EPSS

Web

CVE•added 2022/10/07 9:15 p.m.•70 views

CVE-2022-39285

ZoneMinder is a free, open source Closed-circuit television software application The file parameter is vulnerable to a cross site scripting vulnerability (XSS) by backing out of the current "tr" "td" brackets. This then allows a malicious user to provide code that will execute when a user views the...

7.6CVSS5.8AI score0.00498EPSS

CVE•added 2019/02/04 7:29 p.m.•67 views

CVE-2019-7347

A Time-of-check Time-of-use (TOCTOU) Race Condition exists in ZoneMinder through 1.32.3 as a session remains active for an authenticated user even after deletion from the users table. This allows a nonexistent user to access and modify records (add/delete Monitors, Users, etc.).

7.5CVSS7.3AI score0.00699EPSS

CVE•added 2024/08/12 8:15 p.m.•51 views

CVE-2023-41884

ZoneMinder is a free, open source Closed-circuit television software application. In WWW/AJAX/watch.php, Line: 51 takes a few parameter in sql query without sanitizing it which makes it vulnerable to sql injection. This vulnerability is fixed in 1.36.34.

7.1CVSS6.9AI score0.00194EPSS

CVE•added 2017/03/03 3:59 p.m.•49 views

CVE-2016-10205

Session fixation vulnerability in Zoneminder 1.30 and earlier allows remote attackers to hijack web sessions via the ZMSESSID cookie.

7.5CVSS7.5AI score0.00743EPSS

CVE•added 2023/02/25 1:15 a.m.•42 views

CVE-2023-25825

ZoneMinder is a free, open source Closed-circuit television software application for Linux which supports IP, USB and Analog cameras. Versions prior to 1.36.33 are vulnerable to Cross-site Scripting. Log entries can be injected into the database logs, containing a malicious referrer field. This is ...

7.7CVSS6.1AI score0.00523EPSS

CVE•added 2008/05/01 7:5 p.m.•40 views

CVE-2008-1381

ZoneMinder before 1.23.3 allows remote authenticated users, and possibly unauthenticated attackers in some installations, to execute arbitrary commands via shell metacharacters in a crafted URL.

7.5CVSS7.2AI score0.01505EPSS

CVE•added 2008/09/02 3:41 p.m.•36 views

CVE-2008-3880

SQL injection vulnerability in zm_html_view_event.php in ZoneMinder 1.23.3 and earlier allows remote attackers to execute arbitrary SQL commands via the filter array parameter.

7.5CVSS8.2AI score0.00422EPSS