Filtered by vendor Zoneminder
Subscribe
Total
83 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2019-13072 | 1 Zoneminder | 1 Zoneminder | 2023-01-30 | 3.5 LOW | 5.4 MEDIUM |
| Stored XSS in the Filters page (Name field) in ZoneMinder 1.32.3 allows a malicious user to embed and execute JavaScript code in the browser of any user who navigates to this page. | |||||
| CVE-2022-29806 | 1 Zoneminder | 1 Zoneminder | 2022-05-06 | 7.5 HIGH | 9.8 CRITICAL |
| ZoneMinder before 1.36.13 allows remote code execution via an invalid language. Ability to create a debug log file at an arbitrary pathname contributes to exploitability. | |||||
| CVE-2020-25729 | 1 Zoneminder | 1 Zoneminder | 2020-09-24 | 4.3 MEDIUM | 6.1 MEDIUM |
| ZoneMinder before 1.34.21 has XSS via the connkey parameter to download.php or export.php. | |||||
| CVE-2019-8427 | 1 Zoneminder | 1 Zoneminder | 2020-08-24 | 7.5 HIGH | 9.8 CRITICAL |
| daemonControl in includes/functions.php in ZoneMinder before 1.32.3 allows command injection via shell metacharacters. | |||||
| CVE-2019-6991 | 1 Zoneminder | 1 Zoneminder | 2020-08-24 | 7.5 HIGH | 9.8 CRITICAL |
| A classic Stack-based buffer overflow exists in the zmLoadUser() function in zm_user.cpp of the zmu binary in ZoneMinder through 1.32.3, allowing an unauthenticated attacker to execute code via a long username. | |||||
| CVE-2019-7347 | 1 Zoneminder | 1 Zoneminder | 2020-08-24 | 6.0 MEDIUM | 7.5 HIGH |
| A Time-of-check Time-of-use (TOCTOU) Race Condition exists in ZoneMinder through 1.32.3 as a session remains active for an authenticated user even after deletion from the users table. This allows a nonexistent user to access and modify records (add/delete Monitors, Users, etc.). | |||||
| CVE-2018-1000832 | 1 Zoneminder | 1 Zoneminder | 2019-10-03 | 10.0 HIGH | 9.8 CRITICAL |
| ZoneMinder version <= 1.32.2 contains a Other/Unknown vulnerability in User-controlled parameter that can result in Disclosure of confidential data, denial of service, SSRF, remote code execution. | |||||
| CVE-2019-8423 | 1 Zoneminder | 1 Zoneminder | 2019-02-19 | 7.5 HIGH | 9.8 CRITICAL |
| ZoneMinder through 1.32.3 has SQL Injection via the skins/classic/views/events.php filter[Query][terms][0][cnj] parameter. | |||||
| CVE-2019-8426 | 1 Zoneminder | 1 Zoneminder | 2019-02-19 | 4.3 MEDIUM | 6.1 MEDIUM |
| skins/classic/views/controlcap.php in ZoneMinder before 1.32.3 has XSS via the newControl array, as demonstrated by the newControl[MinTiltRange] parameter. | |||||
| CVE-2019-8425 | 1 Zoneminder | 1 Zoneminder | 2019-02-19 | 4.3 MEDIUM | 6.1 MEDIUM |
| includes/database.php in ZoneMinder before 1.32.3 has XSS in the construction of SQL-ERR messages. | |||||
| CVE-2019-8424 | 1 Zoneminder | 1 Zoneminder | 2019-02-19 | 7.5 HIGH | 9.8 CRITICAL |
| ZoneMinder before 1.32.3 has SQL Injection via the ajax/status.php sort parameter. | |||||
| CVE-2019-8429 | 1 Zoneminder | 1 Zoneminder | 2019-02-19 | 7.5 HIGH | 9.8 CRITICAL |
| ZoneMinder before 1.32.3 has SQL Injection via the ajax/status.php filter[Query][terms][0][cnj] parameter. | |||||
| CVE-2019-8428 | 1 Zoneminder | 1 Zoneminder | 2019-02-19 | 7.5 HIGH | 9.8 CRITICAL |
| ZoneMinder before 1.32.3 has SQL Injection via the skins/classic/views/control.php groupSql parameter, as demonstrated by a newGroup[MonitorIds][] value. | |||||
| CVE-2018-1000833 | 1 Zoneminder | 1 Zoneminder | 2019-02-06 | 7.5 HIGH | 9.8 CRITICAL |
| ZoneMinder version <= 1.32.2 contains a Other/Unknown vulnerability in User-controlled parameter that can result in Disclosure of confidential data, denial of service, SSRF, remote code execution. | |||||
| CVE-2019-7350 | 1 Zoneminder | 1 Zoneminder | 2019-02-05 | 4.9 MEDIUM | 7.3 HIGH |
| Session fixation exists in ZoneMinder through 1.32.3, as an attacker can fixate his own session cookies to the next logged-in user, thereby hijacking the victim's account. This occurs because a set of multiple cookies (between 3 and 5) is being generated when a user successfully logs in, and these sets overlap for successive logins. | |||||
| CVE-2019-7349 | 1 Zoneminder | 1 Zoneminder | 2019-02-05 | 4.3 MEDIUM | 6.1 MEDIUM |
| Reflected Cross Site Scripting (XSS) exists in ZoneMinder through 1.32.3, allowing an attacker to execute HTML or JavaScript code via a vulnerable 'newMonitor[V4LCapturesPerFrame]' parameter value in the view monitor (monitor.php) because proper filtration is omitted. | |||||
| CVE-2019-7348 | 1 Zoneminder | 1 Zoneminder | 2019-02-05 | 4.3 MEDIUM | 6.1 MEDIUM |
| Self - Stored Cross Site Scripting (XSS) exists in ZoneMinder through 1.32.3, allowing an attacker to execute HTML or JavaScript code via a vulnerable 'username' parameter value in the view user (user.php) because proper filtration is omitted. | |||||
| CVE-2019-7346 | 1 Zoneminder | 1 Zoneminder | 2019-02-05 | 6.8 MEDIUM | 8.8 HIGH |
| A CSRF check issue exists in ZoneMinder through 1.32.3 as whenever a CSRF check fails, a callback function is called displaying a "Try again" button, which allows resending the failed request, making the CSRF attack successful. | |||||
| CVE-2019-7344 | 1 Zoneminder | 1 Zoneminder | 2019-02-05 | 4.3 MEDIUM | 6.1 MEDIUM |
| Reflected XSS exists in ZoneMinder through 1.32.3, allowing an attacker to execute HTML or JavaScript code in the view 'filter' as it insecurely prints the 'filter[Name]' (aka Filter name) value on the web page without applying any proper filtration. | |||||
| CVE-2019-7345 | 1 Zoneminder | 1 Zoneminder | 2019-02-05 | 3.5 LOW | 4.8 MEDIUM |
| Self - Stored Cross Site Scripting (XSS) exists in ZoneMinder through 1.32.3, as the view 'options' (options.php) does no input validation for the WEB_TITLE, HOME_URL, HOME_CONTENT, or WEB_CONSOLE_BANNER value, allowing an attacker to execute HTML or JavaScript code. This relates to functions.php. | |||||