Total
81 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2013-0332 | 1 Zoneminder | 1 Zoneminder | 2024-11-21 | 5.0 MEDIUM | N/A |
| Multiple directory traversal vulnerabilities in ZoneMinder 1.24.x before 1.24.4 allow remote attackers to read arbitrary files via a .. (dot dot) in the (1) view, (2) request, or (3) action parameter. | |||||
| CVE-2013-0232 | 1 Zoneminder | 1 Zoneminder | 2024-11-21 | 7.5 HIGH | N/A |
| includes/functions.php in ZoneMinder Video Server 1.24.0, 1.25.0, and earlier allows remote attackers to execute arbitrary commands via shell metacharacters in the (1) runState parameter in the packageControl function; or (2) key or (3) command parameter in the setDeviceStatusX10 function. | |||||
| CVE-2008-6756 | 2 Gentoo, Zoneminder | 2 Linux, Zoneminder | 2024-11-21 | 2.1 LOW | N/A |
| ZoneMinder 1.23.3 on Gentoo Linux uses 0644 permissions for /etc/zm.conf, which allows local users to obtain the database username and password by reading this file. | |||||
| CVE-2008-6755 | 2 Redhat, Zoneminder | 2 Fedora, Zoneminder | 2024-11-21 | 5.0 MEDIUM | N/A |
| ZoneMinder 1.23.3 on Fedora 10 sets the ownership of /etc/zm.conf to the apache user account, and sets the permissions to 0600, which makes it easier for remote attackers to modify this file by accessing it through a (1) PHP or (2) CGI script. | |||||
| CVE-2008-3882 | 1 Zoneminder | 1 Zoneminder | 2024-11-21 | 10.0 HIGH | N/A |
| Unspecified "Command Injection" vulnerability in ZoneMinder 1.23.3 and earlier allows remote attackers to execute arbitrary commands via (1) the executeFilter function in zm_html_view_events.php and (2) the run_state parameter to zm_html_view_state.php. | |||||
| CVE-2008-3881 | 1 Zoneminder | 1 Zoneminder | 2024-11-21 | 4.3 MEDIUM | N/A |
| Multiple cross-site scripting (XSS) vulnerabilities in ZoneMinder 1.23.3 and earlier allow remote attackers to inject arbitrary web script or HTML via unspecified "zm_html_view_*.php" files. | |||||
| CVE-2008-3880 | 1 Zoneminder | 1 Zoneminder | 2024-11-21 | 7.5 HIGH | N/A |
| SQL injection vulnerability in zm_html_view_event.php in ZoneMinder 1.23.3 and earlier allows remote attackers to execute arbitrary SQL commands via the filter array parameter. | |||||
| CVE-2008-1381 | 1 Zoneminder | 1 Zoneminder | 2024-11-21 | 7.5 HIGH | N/A |
| ZoneMinder before 1.23.3 allows remote authenticated users, and possibly unauthenticated attackers in some installations, to execute arbitrary commands via shell metacharacters in a crafted URL. | |||||
| CVE-2023-41884 | 1 Zoneminder | 1 Zoneminder | 2024-09-13 | N/A | 6.5 MEDIUM |
| ZoneMinder is a free, open source Closed-circuit television software application. In WWW/AJAX/watch.php, Line: 51 takes a few parameter in sql query without sanitizing it which makes it vulnerable to sql injection. This vulnerability is fixed in 1.36.34. | |||||
| CVE-2024-43359 | 1 Zoneminder | 1 Zoneminder | 2024-09-04 | N/A | 6.1 MEDIUM |
| ZoneMinder is a free, open source closed-circuit television software application. ZoneMinder has a cross-site scripting vulnerability in the montagereview via the displayinterval, speed, and scale parameters. This vulnerability is fixed in 1.36.34 and 1.37.61. | |||||
| CVE-2024-43360 | 1 Zoneminder | 1 Zoneminder | 2024-09-04 | N/A | 9.8 CRITICAL |
| ZoneMinder is a free, open source closed-circuit television software application. ZoneMinder is affected by a time-based SQL Injection vulnerability. This vulnerability is fixed in 1.36.34 and 1.37.61. | |||||
| CVE-2024-43358 | 1 Zoneminder | 1 Zoneminder | 2024-09-04 | N/A | 6.1 MEDIUM |
| ZoneMinder is a free, open source closed-circuit television software application. ZoneMinder has a cross-site scripting vulnerability in the filter view via the filter[Id]. This vulnerability is fixed in 1.36.34 and 1.37.61. | |||||
| CVE-2023-26039 | 1 Zoneminder | 1 Zoneminder | 2024-02-28 | N/A | 8.8 HIGH |
| ZoneMinder is a free, open source Closed-circuit television software application for Linux which supports IP, USB and Analog cameras. Versions prior to 1.36.33 and 1.37.33 contain an OS Command Injection via daemonControl() in (/web/api/app/Controller/HostController.php). Any authenticated user can construct an api command to execute any shell command as the web user. This issue is patched in versions 1.36.33 and 1.37.33. | |||||
| CVE-2023-26034 | 1 Zoneminder | 1 Zoneminder | 2024-02-28 | N/A | 8.8 HIGH |
| ZoneMinder is a free, open source Closed-circuit television software application for Linux which supports IP, USB and Analog cameras. Versions prior to 1.36.33 and 1.37.33 are affected by a SQL Injection vulnerability. The (blind) SQL Injection vulnerability is present within the `filter[Query][terms][0][attr]` query string parameter of the `/zm/index.php` endpoint. A user with the View or Edit permissions of Events may execute arbitrary SQL. The resulting impact can include unauthorized data access (and modification), authentication and/or authorization bypass, and remote code execution. | |||||
| CVE-2023-26032 | 1 Zoneminder | 1 Zoneminder | 2024-02-28 | N/A | 8.1 HIGH |
| ZoneMinder is a free, open source Closed-circuit television software application for Linux which supports IP, USB and Analog cameras. Versions prior to 1.36.33 and 1.37.33 contain SQL Injection via malicious jason web token. The Username field of the JWT token was trusted when performing an SQL query to load the user. If an attacker could determine the HASH key used by ZoneMinder, they could generate a malicious JWT token and use it to execute arbitrary SQL. This issue is fixed in versions 1.36.33 and 1.37.33. | |||||
| CVE-2023-26037 | 1 Zoneminder | 1 Zoneminder | 2024-02-28 | N/A | 9.8 CRITICAL |
| ZoneMinder is a free, open source Closed-circuit television software application for Linux which supports IP, USB and Analog cameras. Versions prior to 1.36.33 and 1.37.33 contain an SQL Injection. The minTime and maxTime request parameters are not properly validated and could be used execute arbitrary SQL. This issue is fixed in versions 1.36.33 and 1.37.33. | |||||
| CVE-2023-26036 | 1 Zoneminder | 1 Zoneminder | 2024-02-28 | N/A | 9.8 CRITICAL |
| ZoneMinder is a free, open source Closed-circuit television software application for Linux which supports IP, USB and Analog cameras. Versions prior to 1.36.33 and 1.37.33 contain a Local File Inclusion (Untrusted Search Path) vulnerability via /web/index.php. By controlling $view, any local file ending in .php can be executed. This is supposed to be mitigated by calling detaintPath, however dentaintPath does not properly sandbox the path. This can be exploited by constructing paths like "..././", which get replaced by "../". This issue is patched in versions 1.36.33 and 1.37.33. | |||||
| CVE-2023-26035 | 1 Zoneminder | 1 Zoneminder | 2024-02-28 | N/A | 9.8 CRITICAL |
| ZoneMinder is a free, open source Closed-circuit television software application for Linux which supports IP, USB and Analog cameras. Versions prior to 1.36.33 and 1.37.33 are vulnerable to Unauthenticated Remote Code Execution via Missing Authorization. There are no permissions check on the snapshot action, which expects an id to fetch an existing monitor but can be passed an object to create a new one instead. TriggerOn ends up calling shell_exec using the supplied Id. This issue is fixed in This issue is fixed in versions 1.36.33 and 1.37.33. | |||||
| CVE-2023-26038 | 1 Zoneminder | 1 Zoneminder | 2024-02-28 | N/A | 6.5 MEDIUM |
| ZoneMinder is a free, open source Closed-circuit television software application for Linux which supports IP, USB and Analog cameras. Versions prior to 1.36.33 and 1.37.33 contain a Local File Inclusion (Untrusted Search Path) vulnerability via web/ajax/modal.php, where an arbitrary php file path can be passed in the request and loaded. This issue is patched in versions 1.36.33 and 1.37.33. | |||||
| CVE-2023-25825 | 1 Zoneminder | 1 Zoneminder | 2024-02-28 | N/A | 6.1 MEDIUM |
| ZoneMinder is a free, open source Closed-circuit television software application for Linux which supports IP, USB and Analog cameras. Versions prior to 1.36.33 are vulnerable to Cross-site Scripting. Log entries can be injected into the database logs, containing a malicious referrer field. This is unescaped when viewing the logs in the web ui. This issue is patched in version 1.36.33. | |||||