Filtered by vendor Zoneminder
Subscribe
Total
81 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-39290 | 1 Zoneminder | 1 Zoneminder | 2024-02-28 | N/A | 6.5 MEDIUM |
| ZoneMinder is a free, open source Closed-circuit television software application. In affected versions authenticated users can bypass CSRF keys by modifying the request supplied to the Zoneminder web application. These modifications include replacing HTTP POST with an HTTP GET and removing the CSRF key from the request. An attacker can take advantage of this by using an HTTP GET request to perform actions with no CSRF protection. This could allow an attacker to cause an authenticated user to perform unexpected actions on the web application. Users are advised to upgrade as soon as possible. There are no known workarounds for this issue. | |||||
| CVE-2022-39291 | 1 Zoneminder | 1 Zoneminder | 2024-02-28 | N/A | 5.4 MEDIUM |
| ZoneMinder is a free, open source Closed-circuit television software application. Affected versions of zoneminder are subject to a vulnerability which allows users with "View" system permissions to inject new data into the logs stored by Zoneminder. This was observed through an HTTP POST request containing log information to the "/zm/index.php" endpoint. Submission is not rate controlled and could affect database performance and/or consume all storage resources. Users are advised to upgrade. There are no known workarounds for this issue. | |||||
| CVE-2022-39285 | 1 Zoneminder | 1 Zoneminder | 2024-02-28 | N/A | 5.4 MEDIUM |
| ZoneMinder is a free, open source Closed-circuit television software application The file parameter is vulnerable to a cross site scripting vulnerability (XSS) by backing out of the current "tr" "td" brackets. This then allows a malicious user to provide code that will execute when a user views the specific log on the "view=log" page. This vulnerability allows an attacker to store code within the logs that will be executed when loaded by a legitimate user. These actions will be performed with the permission of the victim. This could lead to data loss and/or further exploitation including account takeover. This issue has been addressed in versions `1.36.27` and `1.37.24`. Users are advised to upgrade. Users unable to upgrade should disable database logging. | |||||
| CVE-2022-30769 | 1 Zoneminder | 1 Zoneminder | 2024-02-28 | N/A | 4.6 MEDIUM |
| Session fixation exists in ZoneMinder through 1.36.12 as an attacker can poison a session cookie to the next logged-in user. | |||||
| CVE-2022-39289 | 1 Zoneminder | 1 Zoneminder | 2024-02-28 | N/A | 7.5 HIGH |
| ZoneMinder is a free, open source Closed-circuit television software application. In affected versions the ZoneMinder API Exposes Database Log contents to user without privileges, allows insertion, modification, deletion of logs without System Privileges. Users are advised yo upgrade as soon as possible. Users unable to upgrade should disable database logging. | |||||
| CVE-2022-30768 | 1 Zoneminder | 1 Zoneminder | 2024-02-28 | N/A | 5.4 MEDIUM |
| A Stored Cross Site Scripting (XSS) issue in ZoneMinder 1.36.12 allows an attacker to execute HTML or JavaScript code via the Username field when an Admin (or non-Admin users that can see other users logged into the platform) clicks on Logout. NOTE: this exists in later versions than CVE-2019-7348 and requires a different attack method. | |||||
| CVE-2022-29806 | 1 Zoneminder | 1 Zoneminder | 2024-02-28 | 7.5 HIGH | 9.8 CRITICAL |
| ZoneMinder before 1.36.13 allows remote code execution via an invalid language. Ability to create a debug log file at an arbitrary pathname contributes to exploitability. | |||||
| CVE-2020-25729 | 1 Zoneminder | 1 Zoneminder | 2024-02-28 | 4.3 MEDIUM | 6.1 MEDIUM |
| ZoneMinder before 1.34.21 has XSS via the connkey parameter to download.php or export.php. | |||||
| CVE-2019-13072 | 1 Zoneminder | 1 Zoneminder | 2024-02-28 | 3.5 LOW | 5.4 MEDIUM |
| Stored XSS in the Filters page (Name field) in ZoneMinder 1.32.3 allows a malicious user to embed and execute JavaScript code in the browser of any user who navigates to this page. | |||||
| CVE-2019-7345 | 1 Zoneminder | 1 Zoneminder | 2024-02-28 | 3.5 LOW | 4.8 MEDIUM |
| Self - Stored Cross Site Scripting (XSS) exists in ZoneMinder through 1.32.3, as the view 'options' (options.php) does no input validation for the WEB_TITLE, HOME_URL, HOME_CONTENT, or WEB_CONSOLE_BANNER value, allowing an attacker to execute HTML or JavaScript code. This relates to functions.php. | |||||
| CVE-2018-1000832 | 1 Zoneminder | 1 Zoneminder | 2024-02-28 | 10.0 HIGH | 9.8 CRITICAL |
| ZoneMinder version <= 1.32.2 contains a Other/Unknown vulnerability in User-controlled parameter that can result in Disclosure of confidential data, denial of service, SSRF, remote code execution. | |||||
| CVE-2019-7350 | 1 Zoneminder | 1 Zoneminder | 2024-02-28 | 4.9 MEDIUM | 7.3 HIGH |
| Session fixation exists in ZoneMinder through 1.32.3, as an attacker can fixate his own session cookies to the next logged-in user, thereby hijacking the victim's account. This occurs because a set of multiple cookies (between 3 and 5) is being generated when a user successfully logs in, and these sets overlap for successive logins. | |||||
| CVE-2019-7342 | 1 Zoneminder | 1 Zoneminder | 2024-02-28 | 4.3 MEDIUM | 6.1 MEDIUM |
| POST - Cross Site Scripting (XSS) exists in ZoneMinder through 1.32.3, allowing an attacker to execute HTML or JavaScript code via a vulnerable 'filter[AutoExecuteCmd]' parameter value in the view filter (filter.php) because proper filtration is omitted. | |||||
| CVE-2019-7344 | 1 Zoneminder | 1 Zoneminder | 2024-02-28 | 4.3 MEDIUM | 6.1 MEDIUM |
| Reflected XSS exists in ZoneMinder through 1.32.3, allowing an attacker to execute HTML or JavaScript code in the view 'filter' as it insecurely prints the 'filter[Name]' (aka Filter name) value on the web page without applying any proper filtration. | |||||
| CVE-2019-7347 | 1 Zoneminder | 1 Zoneminder | 2024-02-28 | 6.0 MEDIUM | 7.5 HIGH |
| A Time-of-check Time-of-use (TOCTOU) Race Condition exists in ZoneMinder through 1.32.3 as a session remains active for an authenticated user even after deletion from the users table. This allows a nonexistent user to access and modify records (add/delete Monitors, Users, etc.). | |||||
| CVE-2019-7339 | 1 Zoneminder | 1 Zoneminder | 2024-02-28 | 4.3 MEDIUM | 6.1 MEDIUM |
| POST - Cross Site Scripting (XSS) exists in ZoneMinder through 1.32.3, allowing an attacker to execute HTML or JavaScript code via a vulnerable 'level' parameter value in the view log (log.php) because proper filtration is omitted. | |||||
| CVE-2019-7346 | 1 Zoneminder | 1 Zoneminder | 2024-02-28 | 6.8 MEDIUM | 8.8 HIGH |
| A CSRF check issue exists in ZoneMinder through 1.32.3 as whenever a CSRF check fails, a callback function is called displaying a "Try again" button, which allows resending the failed request, making the CSRF attack successful. | |||||
| CVE-2019-6991 | 1 Zoneminder | 1 Zoneminder | 2024-02-28 | 7.5 HIGH | 9.8 CRITICAL |
| A classic Stack-based buffer overflow exists in the zmLoadUser() function in zm_user.cpp of the zmu binary in ZoneMinder through 1.32.3, allowing an unauthenticated attacker to execute code via a long username. | |||||
| CVE-2019-8425 | 1 Zoneminder | 1 Zoneminder | 2024-02-28 | 4.3 MEDIUM | 6.1 MEDIUM |
| includes/database.php in ZoneMinder before 1.32.3 has XSS in the construction of SQL-ERR messages. | |||||
| CVE-2019-7343 | 1 Zoneminder | 1 Zoneminder | 2024-02-28 | 4.3 MEDIUM | 6.1 MEDIUM |
| Reflected - Cross Site Scripting (XSS) exists in ZoneMinder through 1.32.3, allowing an attacker to execute HTML or JavaScript code via a vulnerable 'newMonitor[Method]' parameter value in the view monitor (monitor.php) because proper filtration is omitted. | |||||