Zoneminder
by Zoneminder
Source repositories
CVEs (87)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2019-8425 | 0.00 | — | 0.01 | Feb 18, 2019 | includes/database.php in ZoneMinder before 1.32.3 has XSS in the construction of SQL-ERR messages. | |||
| CVE-2019-8429 | 0.00 | — | 0.02 | Feb 18, 2019 | ZoneMinder before 1.32.3 has SQL Injection via the ajax/status.php filter[Query][terms][0][cnj] parameter. | |||
| CVE-2019-8424 | 0.00 | — | 0.02 | Feb 18, 2019 | ZoneMinder before 1.32.3 has SQL Injection via the ajax/status.php sort parameter. | |||
| CVE-2019-8426 | 0.00 | — | 0.01 | Feb 18, 2019 | skins/classic/views/controlcap.php in ZoneMinder before 1.32.3 has XSS via the newControl array, as demonstrated by the newControl[MinTiltRange] parameter. | |||
| CVE-2019-8427 | 0.00 | — | 0.02 | Feb 18, 2019 | daemonControl in includes/functions.php in ZoneMinder before 1.32.3 allows command injection via shell metacharacters. | |||
| CVE-2019-8428 | 0.00 | — | 0.02 | Feb 18, 2019 | ZoneMinder before 1.32.3 has SQL Injection via the skins/classic/views/control.php groupSql parameter, as demonstrated by a newGroup[MonitorIds][] value. | |||
| CVE-2019-8423 | 0.00 | — | 0.02 | Feb 18, 2019 | ZoneMinder through 1.32.3 has SQL Injection via the skins/classic/views/events.php filter[Query][terms][0][cnj] parameter. | |||
| CVE-2019-7338 | 0.00 | — | 0.01 | Feb 4, 2019 | Self - Stored XSS exists in ZoneMinder through 1.32.3, allowing an attacker to execute HTML or JavaScript code in the view 'group' as it insecurely prints the 'Group Name' value on the web page without applying any proper filtration. | |||
| CVE-2019-7331 | 0.00 | — | 0.01 | Feb 4, 2019 | Self - Stored Cross Site Scripting (XSS) exists in ZoneMinder through 1.32.3 while editing an existing monitor field named "signal check color" (monitor.php). There exists no input validation or output filtration, leaving it vulnerable to HTML Injection and an XSS attack. | |||
| CVE-2019-7343 | 0.00 | — | 0.01 | Feb 4, 2019 | Reflected - Cross Site Scripting (XSS) exists in ZoneMinder through 1.32.3, allowing an attacker to execute HTML or JavaScript code via a vulnerable 'newMonitor[Method]' parameter value in the view monitor (monitor.php) because proper filtration is omitted. | |||
| CVE-2019-7328 | 0.00 | — | 0.01 | Feb 4, 2019 | Reflected Cross Site Scripting (XSS) exists in ZoneMinder through 1.32.3, allowing an attacker to execute HTML or JavaScript code via a vulnerable 'scale' parameter value in the view frame (frame.php) via /js/frame.js.php because proper filtration is omitted. | |||
| CVE-2019-7329 | 0.00 | — | 0.01 | Feb 4, 2019 | Reflected Cross Site Scripting (XSS) exists in ZoneMinder through 1.32.3, as the form action on multiple views utilizes $_SERVER['PHP_SELF'] insecurely, mishandling any arbitrary input appended to the webroot URL, without any proper filtration, leading to XSS. | |||
| CVE-2019-7351 | 0.00 | — | 0.01 | Feb 4, 2019 | Log Injection exists in ZoneMinder through 1.32.3, as an attacker can entice the victim to visit a specially crafted link, which in turn will inject a custom Log message provided by the attacker in the 'log' view page, as demonstrated by the message=User%20'admin'%20Logged%20in… | |||
| CVE-2019-7325 | 0.00 | — | 0.01 | Feb 4, 2019 | Reflected Cross Site Scripting (XSS) exists in ZoneMinder through 1.32.3, as multiple views under web/skins/classic/views insecurely utilize $_REQUEST['PHP_SELF'], without applying any proper filtration. | |||
| CVE-2019-7339 | 0.00 | — | 0.01 | Feb 4, 2019 | POST - Cross Site Scripting (XSS) exists in ZoneMinder through 1.32.3, allowing an attacker to execute HTML or JavaScript code via a vulnerable 'level' parameter value in the view log (log.php) because proper filtration is omitted. | |||
| CVE-2019-7333 | 0.00 | — | 0.01 | Feb 4, 2019 | Reflected Cross Site Scripting (XSS) exists in ZoneMinder through 1.32.3, allowing an attacker to execute HTML or JavaScript code via a vulnerable 'Exportfile' parameter value in the view download (download.php) because proper filtration is omitted. | |||
| CVE-2019-7340 | 0.00 | — | 0.01 | Feb 4, 2019 | POST - Cross Site Scripting (XSS) exists in ZoneMinder through 1.32.3, allowing an attacker to execute HTML or JavaScript code via a vulnerable 'filter[Query][terms][0][val]' parameter value in the view filter (filter.php) because proper filtration is omitted. | |||
| CVE-2019-7327 | 0.00 | — | 0.01 | Feb 4, 2019 | Reflected Cross Site Scripting (XSS) exists in ZoneMinder through 1.32.3, allowing an attacker to execute HTML or JavaScript code via a vulnerable 'scale' parameter value in the view frame (frame.php) because proper filtration is omitted. | |||
| CVE-2019-7342 | 0.00 | — | 0.01 | Feb 4, 2019 | POST - Cross Site Scripting (XSS) exists in ZoneMinder through 1.32.3, allowing an attacker to execute HTML or JavaScript code via a vulnerable 'filter[AutoExecuteCmd]' parameter value in the view filter (filter.php) because proper filtration is omitted. | |||
| CVE-2019-7334 | 0.00 | — | 0.01 | Feb 4, 2019 | Reflected Cross Site Scripting (XSS) exists in ZoneMinder through 1.32.3, allowing an attacker to execute HTML or JavaScript code via a vulnerable 'Exportfile' parameter value in the view export (export.php) because proper filtration is omitted. |
- CVE-2019-8425Feb 18, 2019risk 0.00cvss —epss 0.01
includes/database.php in ZoneMinder before 1.32.3 has XSS in the construction of SQL-ERR messages.
- CVE-2019-8429Feb 18, 2019risk 0.00cvss —epss 0.02
ZoneMinder before 1.32.3 has SQL Injection via the ajax/status.php filter[Query][terms][0][cnj] parameter.
- CVE-2019-8424Feb 18, 2019risk 0.00cvss —epss 0.02
ZoneMinder before 1.32.3 has SQL Injection via the ajax/status.php sort parameter.
- CVE-2019-8426Feb 18, 2019risk 0.00cvss —epss 0.01
skins/classic/views/controlcap.php in ZoneMinder before 1.32.3 has XSS via the newControl array, as demonstrated by the newControl[MinTiltRange] parameter.
- CVE-2019-8427Feb 18, 2019risk 0.00cvss —epss 0.02
daemonControl in includes/functions.php in ZoneMinder before 1.32.3 allows command injection via shell metacharacters.
- CVE-2019-8428Feb 18, 2019risk 0.00cvss —epss 0.02
ZoneMinder before 1.32.3 has SQL Injection via the skins/classic/views/control.php groupSql parameter, as demonstrated by a newGroup[MonitorIds][] value.
- CVE-2019-8423Feb 18, 2019risk 0.00cvss —epss 0.02
ZoneMinder through 1.32.3 has SQL Injection via the skins/classic/views/events.php filter[Query][terms][0][cnj] parameter.
- CVE-2019-7338Feb 4, 2019risk 0.00cvss —epss 0.01
Self - Stored XSS exists in ZoneMinder through 1.32.3, allowing an attacker to execute HTML or JavaScript code in the view 'group' as it insecurely prints the 'Group Name' value on the web page without applying any proper filtration.
- CVE-2019-7331Feb 4, 2019risk 0.00cvss —epss 0.01
Self - Stored Cross Site Scripting (XSS) exists in ZoneMinder through 1.32.3 while editing an existing monitor field named "signal check color" (monitor.php). There exists no input validation or output filtration, leaving it vulnerable to HTML Injection and an XSS attack.
- CVE-2019-7343Feb 4, 2019risk 0.00cvss —epss 0.01
Reflected - Cross Site Scripting (XSS) exists in ZoneMinder through 1.32.3, allowing an attacker to execute HTML or JavaScript code via a vulnerable 'newMonitor[Method]' parameter value in the view monitor (monitor.php) because proper filtration is omitted.
- CVE-2019-7328Feb 4, 2019risk 0.00cvss —epss 0.01
Reflected Cross Site Scripting (XSS) exists in ZoneMinder through 1.32.3, allowing an attacker to execute HTML or JavaScript code via a vulnerable 'scale' parameter value in the view frame (frame.php) via /js/frame.js.php because proper filtration is omitted.
- CVE-2019-7329Feb 4, 2019risk 0.00cvss —epss 0.01
Reflected Cross Site Scripting (XSS) exists in ZoneMinder through 1.32.3, as the form action on multiple views utilizes $_SERVER['PHP_SELF'] insecurely, mishandling any arbitrary input appended to the webroot URL, without any proper filtration, leading to XSS.
- CVE-2019-7351Feb 4, 2019risk 0.00cvss —epss 0.01
Log Injection exists in ZoneMinder through 1.32.3, as an attacker can entice the victim to visit a specially crafted link, which in turn will inject a custom Log message provided by the attacker in the 'log' view page, as demonstrated by the message=User%20'admin'%20Logged%20in…
- CVE-2019-7325Feb 4, 2019risk 0.00cvss —epss 0.01
Reflected Cross Site Scripting (XSS) exists in ZoneMinder through 1.32.3, as multiple views under web/skins/classic/views insecurely utilize $_REQUEST['PHP_SELF'], without applying any proper filtration.
- CVE-2019-7339Feb 4, 2019risk 0.00cvss —epss 0.01
POST - Cross Site Scripting (XSS) exists in ZoneMinder through 1.32.3, allowing an attacker to execute HTML or JavaScript code via a vulnerable 'level' parameter value in the view log (log.php) because proper filtration is omitted.
- CVE-2019-7333Feb 4, 2019risk 0.00cvss —epss 0.01
Reflected Cross Site Scripting (XSS) exists in ZoneMinder through 1.32.3, allowing an attacker to execute HTML or JavaScript code via a vulnerable 'Exportfile' parameter value in the view download (download.php) because proper filtration is omitted.
- CVE-2019-7340Feb 4, 2019risk 0.00cvss —epss 0.01
POST - Cross Site Scripting (XSS) exists in ZoneMinder through 1.32.3, allowing an attacker to execute HTML or JavaScript code via a vulnerable 'filter[Query][terms][0][val]' parameter value in the view filter (filter.php) because proper filtration is omitted.
- CVE-2019-7327Feb 4, 2019risk 0.00cvss —epss 0.01
Reflected Cross Site Scripting (XSS) exists in ZoneMinder through 1.32.3, allowing an attacker to execute HTML or JavaScript code via a vulnerable 'scale' parameter value in the view frame (frame.php) because proper filtration is omitted.
- CVE-2019-7342Feb 4, 2019risk 0.00cvss —epss 0.01
POST - Cross Site Scripting (XSS) exists in ZoneMinder through 1.32.3, allowing an attacker to execute HTML or JavaScript code via a vulnerable 'filter[AutoExecuteCmd]' parameter value in the view filter (filter.php) because proper filtration is omitted.
- CVE-2019-7334Feb 4, 2019risk 0.00cvss —epss 0.01
Reflected Cross Site Scripting (XSS) exists in ZoneMinder through 1.32.3, allowing an attacker to execute HTML or JavaScript code via a vulnerable 'Exportfile' parameter value in the view export (export.php) because proper filtration is omitted.
Page 3 of 5