VYPR

Zoneminder

by Zoneminder

Source repositories

CVEs (87)

  • CVE-2016-10204CriMar 3, 2017
    risk 0.64cvss 9.8epss 0.02

    SQL injection vulnerability in Zoneminder 1.30 and earlier allows remote attackers to execute arbitrary SQL commands via the limit parameter in a log query request to index.php.

  • CVE-2024-51482CriOct 31, 2024
    risk 0.61cvss 9.9epss 0.37

    ZoneMinder is a free, open source closed-circuit television software application. ZoneMinder v1.37.* <= 1.37.64 is vulnerable to boolean-based SQL Injection in function of web/ajax/event.php. This is fixed in 1.37.65.

  • CVE-2016-10206HigMar 3, 2017
    risk 0.57cvss 8.8epss 0.01

    Cross-site request forgery (CSRF) vulnerability in Zoneminder 1.30 and earlier allows remote attackers to hijack the authentication of users for requests that change passwords and possibly have unspecified other impact as demonstrated by a crafted user action request to…

  • CVE-2017-5368HigFeb 6, 2017
    risk 0.57cvss 8.8epss 0.01

    ZoneMinder v1.30 and v1.29, an open-source CCTV server web application, is vulnerable to CSRF (Cross Site Request Forgery) which allows a remote attack to make changes to the web application as the current logged in victim. If the victim visits a malicious web page, the attacker…

  • CVE-2016-10205HigMar 3, 2017
    risk 0.48cvss 7.3epss 0.01

    Session fixation vulnerability in Zoneminder 1.30 and earlier allows remote attackers to hijack web sessions via the ZMSESSID cookie.

  • CVE-2016-10140HigJan 13, 2017
    risk 0.42cvss 7.5epss 0.07

    Information disclosure and authentication bypass vulnerability exists in the Apache HTTP Server configuration bundled with ZoneMinder v1.30 and v1.29, which allows a remote unauthenticated attacker to browse all directories in the web root, e.g., a remote unauthenticated…

  • CVE-2017-7203MedMar 21, 2017
    risk 0.40cvss 6.1epss 0.01

    A Cross-Site Scripting (XSS) was discovered in ZoneMinder before 1.30.2. The vulnerability exists due to insufficient filtration of user-supplied data (postLoginQuery) passed to the "ZoneMinder-master/web/skins/classic/views/js/postlogin.js.php" URL. An attacker could execute…

  • CVE-2016-10203MedMar 3, 2017
    risk 0.40cvss 6.1epss 0.01

    Cross-site scripting (XSS) vulnerability in Zoneminder 1.30 and earlier allows remote attackers to inject arbitrary web script or HTML via the name when creating a new monitor.

  • CVE-2016-10202MedMar 3, 2017
    risk 0.40cvss 6.1epss 0.01

    Cross-site scripting (XSS) vulnerability in Zoneminder 1.30 and earlier allows remote attackers to inject arbitrary web script or HTML via the path info to index.php.

  • CVE-2016-10201MedMar 3, 2017
    risk 0.40cvss 6.1epss 0.01

    Cross-site scripting (XSS) vulnerability in Zoneminder 1.30 and earlier allows remote attackers to inject arbitrary web script or HTML via the format parameter in a download log request to index.php.

  • CVE-2017-5367MedFeb 6, 2017
    risk 0.40cvss 6.1epss 0.02

    Multiple reflected XSS vulnerabilities exist within form and link input parameters of ZoneMinder v1.30 and v1.29, an open-source CCTV server web application, which allows a remote attacker to execute malicious scripts within an authenticated client's browser. The URL is…

  • CVE-2017-5595MedFeb 6, 2017
    risk 0.36cvss 5.5epss 0.00

    A file disclosure and inclusion vulnerability exists in web/views/file.php in ZoneMinder 1.x through v1.30.0 because of unfiltered user-input being passed to readfile(), which allows an authenticated attacker to read local system files (e.g., /etc/passwd) in the context of the…

  • CVE-2022-29806Apr 26, 2022
    risk 0.08cvss epss 0.66

    ZoneMinder before 1.36.13 allows remote code execution via an invalid language. Ability to create a debug log file at an arbitrary pathname contributes to exploitability.

  • CVE-2023-26035Feb 25, 2023
    risk 0.07cvss epss 0.80

    ZoneMinder is a free, open source Closed-circuit television software application for Linux which supports IP, USB and Analog cameras. Versions prior to 1.36.33 and 1.37.33 are vulnerable to Unauthenticated Remote Code Execution via Missing Authorization. There are no permissions…

  • CVE-2013-0232Mar 20, 2013
    risk 0.07cvss epss 0.48

    includes/functions.php in ZoneMinder Video Server 1.24.0, 1.25.0, and earlier allows remote attackers to execute arbitrary commands via shell metacharacters in the (1) runState parameter in the packageControl function; or (2) key or (3) command parameter in the…

  • CVE-2013-0332Mar 20, 2013
    risk 0.04cvss epss 0.10

    Multiple directory traversal vulnerabilities in ZoneMinder 1.24.x before 1.24.4 allow remote attackers to read arbitrary files via a .. (dot dot) in the (1) view, (2) request, or (3) action parameter.

  • CVE-2018-1000832Dec 20, 2018
    risk 0.01cvss epss 0.06

    ZoneMinder version <= 1.32.2 contains a Other/Unknown vulnerability in User-controlled parameter that can result in Disclosure of confidential data, denial of service, SSRF, remote code execution.

  • CVE-2026-27470Feb 21, 2026
    risk 0.00cvss epss 0.00

    ZoneMinder is a free, open source closed-circuit television software application. In versions 1.36.37 and below and 1.37.61 through 1.38.0, there is a second-order SQL Injection vulnerability in the web/ajax/status.php file within the getNearEvents() function. Event field values…

  • CVE-2025-65791Feb 18, 2026
    risk 0.00cvss epss 0.02

    ZoneMinder v1.36.34 is vulnerable to Command Injection in web/views/image.php. The application passes unsanitized user input directly to the exec() function. NOTE: this is disputed by the Supplier because there is no unsanitized user input to web/views/image.php.

  • CVE-2023-31493Oct 15, 2024
    risk 0.00cvss epss 0.01

    RCE (Remote Code Execution) exists in ZoneMinder through 1.36.33 as an attacker can create a new .php log file in language folder, while executing a crafted payload and escalate privileges allowing execution of any commands on the remote system.

Page 1 of 5