VYPR

Vendor CVEs

Zoneminder

All CVEs

87 total · sorted by risk
  • CVE-2016-10204CriMar 3, 2017
    risk 0.64cvss 9.8epss 0.02

    SQL injection vulnerability in Zoneminder 1.30 and earlier allows remote attackers to execute arbitrary SQL commands via the limit parameter in a log query request to index.php.

  • CVE-2024-51482CriOct 31, 2024
    risk 0.61cvss 9.9epss 0.37

    ZoneMinder is a free, open source closed-circuit television software application. ZoneMinder v1.37.* <= 1.37.64 is vulnerable to boolean-based SQL Injection in function of web/ajax/event.php. This is fixed in 1.37.65.

  • CVE-2016-10206HigMar 3, 2017
    risk 0.57cvss 8.8epss 0.01

    Cross-site request forgery (CSRF) vulnerability in Zoneminder 1.30 and earlier allows remote attackers to hijack the authentication of users for requests that change passwords and possibly have unspecified other impact as demonstrated by a crafted user action request to…

  • CVE-2017-5368HigFeb 6, 2017
    risk 0.57cvss 8.8epss 0.01

    ZoneMinder v1.30 and v1.29, an open-source CCTV server web application, is vulnerable to CSRF (Cross Site Request Forgery) which allows a remote attack to make changes to the web application as the current logged in victim. If the victim visits a malicious web page, the attacker…

  • CVE-2016-10205HigMar 3, 2017
    risk 0.48cvss 7.3epss 0.01

    Session fixation vulnerability in Zoneminder 1.30 and earlier allows remote attackers to hijack web sessions via the ZMSESSID cookie.

  • CVE-2016-10140HigJan 13, 2017
    risk 0.42cvss 7.5epss 0.07

    Information disclosure and authentication bypass vulnerability exists in the Apache HTTP Server configuration bundled with ZoneMinder v1.30 and v1.29, which allows a remote unauthenticated attacker to browse all directories in the web root, e.g., a remote unauthenticated…

  • CVE-2017-7203MedMar 21, 2017
    risk 0.40cvss 6.1epss 0.01

    A Cross-Site Scripting (XSS) was discovered in ZoneMinder before 1.30.2. The vulnerability exists due to insufficient filtration of user-supplied data (postLoginQuery) passed to the "ZoneMinder-master/web/skins/classic/views/js/postlogin.js.php" URL. An attacker could execute…

  • CVE-2016-10203MedMar 3, 2017
    risk 0.40cvss 6.1epss 0.01

    Cross-site scripting (XSS) vulnerability in Zoneminder 1.30 and earlier allows remote attackers to inject arbitrary web script or HTML via the name when creating a new monitor.

  • CVE-2016-10202MedMar 3, 2017
    risk 0.40cvss 6.1epss 0.01

    Cross-site scripting (XSS) vulnerability in Zoneminder 1.30 and earlier allows remote attackers to inject arbitrary web script or HTML via the path info to index.php.

  • CVE-2016-10201MedMar 3, 2017
    risk 0.40cvss 6.1epss 0.01

    Cross-site scripting (XSS) vulnerability in Zoneminder 1.30 and earlier allows remote attackers to inject arbitrary web script or HTML via the format parameter in a download log request to index.php.

  • CVE-2017-5367MedFeb 6, 2017
    risk 0.40cvss 6.1epss 0.02

    Multiple reflected XSS vulnerabilities exist within form and link input parameters of ZoneMinder v1.30 and v1.29, an open-source CCTV server web application, which allows a remote attacker to execute malicious scripts within an authenticated client's browser. The URL is…

  • CVE-2017-5595MedFeb 6, 2017
    risk 0.36cvss 5.5epss 0.00

    A file disclosure and inclusion vulnerability exists in web/views/file.php in ZoneMinder 1.x through v1.30.0 because of unfiltered user-input being passed to readfile(), which allows an authenticated attacker to read local system files (e.g., /etc/passwd) in the context of the…

  • CVE-2022-29806Apr 26, 2022
    risk 0.08cvss epss 0.66

    ZoneMinder before 1.36.13 allows remote code execution via an invalid language. Ability to create a debug log file at an arbitrary pathname contributes to exploitability.

  • CVE-2023-26035Feb 25, 2023
    risk 0.07cvss epss 0.80

    ZoneMinder is a free, open source Closed-circuit television software application for Linux which supports IP, USB and Analog cameras. Versions prior to 1.36.33 and 1.37.33 are vulnerable to Unauthenticated Remote Code Execution via Missing Authorization. There are no permissions…

  • CVE-2013-0232Mar 20, 2013
    risk 0.07cvss epss 0.48

    includes/functions.php in ZoneMinder Video Server 1.24.0, 1.25.0, and earlier allows remote attackers to execute arbitrary commands via shell metacharacters in the (1) runState parameter in the packageControl function; or (2) key or (3) command parameter in the…

  • CVE-2013-0332Mar 20, 2013
    risk 0.04cvss epss 0.10

    Multiple directory traversal vulnerabilities in ZoneMinder 1.24.x before 1.24.4 allow remote attackers to read arbitrary files via a .. (dot dot) in the (1) view, (2) request, or (3) action parameter.

  • CVE-2018-1000832Dec 20, 2018
    risk 0.01cvss epss 0.06

    ZoneMinder version <= 1.32.2 contains a Other/Unknown vulnerability in User-controlled parameter that can result in Disclosure of confidential data, denial of service, SSRF, remote code execution.

  • CVE-2026-27470Feb 21, 2026
    risk 0.00cvss epss 0.00

    ZoneMinder is a free, open source closed-circuit television software application. In versions 1.36.37 and below and 1.37.61 through 1.38.0, there is a second-order SQL Injection vulnerability in the web/ajax/status.php file within the getNearEvents() function. Event field values…

  • CVE-2025-65791Feb 18, 2026
    risk 0.00cvss epss 0.02

    ZoneMinder v1.36.34 is vulnerable to Command Injection in web/views/image.php. The application passes unsanitized user input directly to the exec() function. NOTE: this is disputed by the Supplier because there is no unsanitized user input to web/views/image.php.

  • CVE-2023-31493Oct 15, 2024
    risk 0.00cvss epss 0.01

    RCE (Remote Code Execution) exists in ZoneMinder through 1.36.33 as an attacker can create a new .php log file in language folder, while executing a crafted payload and escalate privileges allowing execution of any commands on the remote system.

  • CVE-2024-43360Aug 12, 2024
    risk 0.00cvss epss 0.06

    ZoneMinder is a free, open source closed-circuit television software application. ZoneMinder is affected by a time-based SQL Injection vulnerability. This vulnerability is fixed in 1.36.34 and 1.37.61.

  • CVE-2024-43359Aug 12, 2024
    risk 0.00cvss epss 0.00

    ZoneMinder is a free, open source closed-circuit television software application. ZoneMinder has a cross-site scripting vulnerability in the montagereview via the displayinterval, speed, and scale parameters. This vulnerability is fixed in 1.36.34 and 1.37.61.

  • CVE-2024-43358Aug 12, 2024
    risk 0.00cvss epss 0.00

    ZoneMinder is a free, open source closed-circuit television software application. ZoneMinder has a cross-site scripting vulnerability in the filter view via the filter[Id]. This vulnerability is fixed in 1.36.34 and 1.37.61.

  • CVE-2023-41884Aug 12, 2024
    risk 0.00cvss epss 0.01

    ZoneMinder is a free, open source Closed-circuit television software application. In WWW/AJAX/watch.php, Line: 51 takes a few parameter in sql query without sanitizing it which makes it vulnerable to sql injection. This vulnerability is fixed in 1.36.34.

  • CVE-2020-25730Apr 4, 2024
    risk 0.00cvss epss 0.01

    Cross Site Scripting (XSS) vulnerability in ZoneMinder before version 1.34.21, allows remote attackers execute arbitrary code, escalate privileges, and obtain sensitive information via PHP_SELF component in classic/views/download.php.

  • CVE-2023-26039Feb 25, 2023
    risk 0.00cvss epss 0.01

    ZoneMinder is a free, open source Closed-circuit television software application for Linux which supports IP, USB and Analog cameras. Versions prior to 1.36.33 and 1.37.33 contain an OS Command Injection via daemonControl() in (/web/api/app/Controller/HostController.php). Any…

  • CVE-2023-26038Feb 25, 2023
    risk 0.00cvss epss 0.01

    ZoneMinder is a free, open source Closed-circuit television software application for Linux which supports IP, USB and Analog cameras. Versions prior to 1.36.33 and 1.37.33 contain a Local File Inclusion (Untrusted Search Path) vulnerability via web/ajax/modal.php, where an…

  • CVE-2023-26037Feb 25, 2023
    risk 0.00cvss epss 0.01

    ZoneMinder is a free, open source Closed-circuit television software application for Linux which supports IP, USB and Analog cameras. Versions prior to 1.36.33 and 1.37.33 contain an SQL Injection. The minTime and maxTime request parameters are not properly validated and could…

  • CVE-2023-26036Feb 25, 2023
    risk 0.00cvss epss 0.01

    ZoneMinder is a free, open source Closed-circuit television software application for Linux which supports IP, USB and Analog cameras. Versions prior to 1.36.33 and 1.37.33 contain a Local File Inclusion (Untrusted Search Path) vulnerability via /web/index.php. By controlling…

  • CVE-2023-26034Feb 25, 2023
    risk 0.00cvss epss 0.02

    ZoneMinder is a free, open source Closed-circuit television software application for Linux which supports IP, USB and Analog cameras. Versions prior to 1.36.33 and 1.37.33 are affected by a SQL Injection vulnerability. The (blind) SQL Injection vulnerability is present within…

  • CVE-2023-26032Feb 25, 2023
    risk 0.00cvss epss 0.01

    ZoneMinder is a free, open source Closed-circuit television software application for Linux which supports IP, USB and Analog cameras. Versions prior to 1.36.33 and 1.37.33 contain SQL Injection via malicious jason web token. The Username field of the JWT token was trusted when…

  • CVE-2023-25825Feb 25, 2023
    risk 0.00cvss epss 0.01

    ZoneMinder is a free, open source Closed-circuit television software application for Linux which supports IP, USB and Analog cameras. Versions prior to 1.36.33 are vulnerable to Cross-site Scripting. Log entries can be injected into the database logs, containing a malicious…

  • CVE-2022-30768Nov 15, 2022
    risk 0.00cvss epss 0.01

    A Stored Cross Site Scripting (XSS) issue in ZoneMinder 1.36.12 allows an attacker to execute HTML or JavaScript code via the Username field when an Admin (or non-Admin users that can see other users logged into the platform) clicks on Logout. NOTE: this exists in later versions…

  • CVE-2022-30769Nov 15, 2022
    risk 0.00cvss epss 0.00

    Session fixation exists in ZoneMinder through 1.36.12 as an attacker can poison a session cookie to the next logged-in user.

  • CVE-2022-39285Oct 7, 2022
    risk 0.00cvss epss 0.04

    ZoneMinder is a free, open source Closed-circuit television software application The file parameter is vulnerable to a cross site scripting vulnerability (XSS) by backing out of the current "tr" "td" brackets. This then allows a malicious user to provide code that will execute…

  • CVE-2022-39290Oct 7, 2022
    risk 0.00cvss epss 0.05

    ZoneMinder is a free, open source Closed-circuit television software application. In affected versions authenticated users can bypass CSRF keys by modifying the request supplied to the Zoneminder web application. These modifications include replacing HTTP POST with an HTTP GET…

  • CVE-2022-39291Oct 7, 2022
    risk 0.00cvss epss 0.05

    ZoneMinder is a free, open source Closed-circuit television software application. Affected versions of zoneminder are subject to a vulnerability which allows users with "View" system permissions to inject new data into the logs stored by Zoneminder. This was observed through an…

  • CVE-2022-39289Oct 7, 2022
    risk 0.00cvss epss 0.01

    ZoneMinder is a free, open source Closed-circuit television software application. In affected versions the ZoneMinder API Exposes Database Log contents to user without privileges, allows insertion, modification, deletion of logs without System Privileges. Users are advised yo…

  • CVE-2020-25729Sep 17, 2020
    risk 0.00cvss epss 0.01

    ZoneMinder before 1.34.21 has XSS via the connkey parameter to download.php or export.php.

  • CVE-2019-13072Jun 30, 2019
    risk 0.00cvss epss 0.01

    Stored XSS in the Filters page (Name field) in ZoneMinder 1.32.3 allows a malicious user to embed and execute JavaScript code in the browser of any user who navigates to this page.

  • CVE-2019-8425Feb 18, 2019
    risk 0.00cvss epss 0.01

    includes/database.php in ZoneMinder before 1.32.3 has XSS in the construction of SQL-ERR messages.

  • CVE-2019-8429Feb 18, 2019
    risk 0.00cvss epss 0.02

    ZoneMinder before 1.32.3 has SQL Injection via the ajax/status.php filter[Query][terms][0][cnj] parameter.

  • CVE-2019-8424Feb 18, 2019
    risk 0.00cvss epss 0.02

    ZoneMinder before 1.32.3 has SQL Injection via the ajax/status.php sort parameter.

  • CVE-2019-8426Feb 18, 2019
    risk 0.00cvss epss 0.01

    skins/classic/views/controlcap.php in ZoneMinder before 1.32.3 has XSS via the newControl array, as demonstrated by the newControl[MinTiltRange] parameter.

  • CVE-2019-8427Feb 18, 2019
    risk 0.00cvss epss 0.02

    daemonControl in includes/functions.php in ZoneMinder before 1.32.3 allows command injection via shell metacharacters.

  • CVE-2019-8428Feb 18, 2019
    risk 0.00cvss epss 0.02

    ZoneMinder before 1.32.3 has SQL Injection via the skins/classic/views/control.php groupSql parameter, as demonstrated by a newGroup[MonitorIds][] value.

  • CVE-2019-8423Feb 18, 2019
    risk 0.00cvss epss 0.02

    ZoneMinder through 1.32.3 has SQL Injection via the skins/classic/views/events.php filter[Query][terms][0][cnj] parameter.

  • CVE-2019-7338Feb 4, 2019
    risk 0.00cvss epss 0.01

    Self - Stored XSS exists in ZoneMinder through 1.32.3, allowing an attacker to execute HTML or JavaScript code in the view 'group' as it insecurely prints the 'Group Name' value on the web page without applying any proper filtration.

  • CVE-2019-7331Feb 4, 2019
    risk 0.00cvss epss 0.01

    Self - Stored Cross Site Scripting (XSS) exists in ZoneMinder through 1.32.3 while editing an existing monitor field named "signal check color" (monitor.php). There exists no input validation or output filtration, leaving it vulnerable to HTML Injection and an XSS attack.

  • CVE-2019-7343Feb 4, 2019
    risk 0.00cvss epss 0.01

    Reflected - Cross Site Scripting (XSS) exists in ZoneMinder through 1.32.3, allowing an attacker to execute HTML or JavaScript code via a vulnerable 'newMonitor[Method]' parameter value in the view monitor (monitor.php) because proper filtration is omitted.

Page 1 of 2