CVSS: 9.9EPSS: 0%CPEs: 1EXPL: 0CVE-2024-51482 – Boolean-based SQL Injection in ZoneMinder v1.37.* <= 1.37.64
https://notcve.org/view.php?id=CVE-2024-51482
31 Oct 2024 — ZoneMinder is a free, open source closed-circuit television software application. ZoneMinder v1.37.* <= 1.37.64 is vulnerable to boolean-based SQL Injection in function of web/ajax/event.php. This is fixed in 1.37.64. ZoneMinder is a free, open source closed-circuit television software application. ZoneMinder v1.37.* <= 1.37.64 is vulnerable to boolean-based SQL Injection in function of web/ajax/event.php. • https://github.com/ZoneMinder/zoneminder/commit/9e7d31841ed9678a7dd06869037686fc9925e59f • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2023-31493
https://notcve.org/view.php?id=CVE-2023-31493
15 Oct 2024 — RCE (Remote Code Execution) exists in ZoneMinder through 1.36.33 as an attacker can create a new .php log file in language folder, while executing a crafted payload and escalate privileges allowing execution of any commands on the remote system. • http://zoneminder.com • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 10.0EPSS: 7%CPEs: 2EXPL: 0CVE-2024-43360 – ZoneMinder Time-based SQL Injection
https://notcve.org/view.php?id=CVE-2024-43360
12 Aug 2024 — ZoneMinder is a free, open source closed-circuit television software application. ZoneMinder is affected by a time-based SQL Injection vulnerability. This vulnerability is fixed in 1.36.34 and 1.37.61. • https://github.com/ZoneMinder/zoneminder/commit/677f6a31551f128554f7b0110a52fd76453a657a • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 6.4EPSS: 0%CPEs: 2EXPL: 0CVE-2024-43359 – XSS vulnerabilities in montagereview
https://notcve.org/view.php?id=CVE-2024-43359
12 Aug 2024 — ZoneMinder is a free, open source closed-circuit television software application. ZoneMinder has a cross-site scripting vulnerability in the montagereview via the displayinterval, speed, and scale parameters. This vulnerability is fixed in 1.36.34 and 1.37.61. • https://github.com/ZoneMinder/zoneminder/commit/6cc64dddff6144a98680f65ecf8dc249028431af • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.4EPSS: 0%CPEs: 2EXPL: 0CVE-2024-43358 – XSS vulnerability in filter view
https://notcve.org/view.php?id=CVE-2024-43358
12 Aug 2024 — ZoneMinder is a free, open source closed-circuit television software application. ZoneMinder has a cross-site scripting vulnerability in the filter view via the filter[Id]. This vulnerability is fixed in 1.36.34 and 1.37.61. • https://github.com/ZoneMinder/zoneminder/commit/062cf568a33fb6a8604ec327b1de8bb2e0d1ff77 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.1EPSS: 0%CPEs: 1EXPL: 0CVE-2023-41884 – ZoneMinder Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') in watch.php
https://notcve.org/view.php?id=CVE-2023-41884
12 Aug 2024 — ZoneMinder is a free, open source Closed-circuit television software application. In WWW/AJAX/watch.php, Line: 51 takes a few parameter in sql query without sanitizing it which makes it vulnerable to sql injection. This vulnerability is fixed in 1.36.34. • https://github.com/ZoneMinder/zoneminder/commit/677f6a31551f128554f7b0110a52fd76453a657a • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 9.0EPSS: 0%CPEs: 2EXPL: 0CVE-2023-26039 – ZoneMinder vulnerable to OS Command injection in daemonControl() API
https://notcve.org/view.php?id=CVE-2023-26039
25 Feb 2023 — ZoneMinder is a free, open source Closed-circuit television software application for Linux which supports IP, USB and Analog cameras. Versions prior to 1.36.33 and 1.37.33 contain an OS Command Injection via daemonControl() in (/web/api/app/Controller/HostController.php). Any authenticated user can construct an api command to execute any shell command as the web user. This issue is patched in versions 1.36.33 and 1.37.33. • https://github.com/ZoneMinder/zoneminder/security/advisories/GHSA-44q8-h2pw-cc9g • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 6.5EPSS: 0%CPEs: 2EXPL: 1CVE-2023-26038 – ZoneMinder contains Local File Inclusion vulnerability via `web/ajax/modal.php`
https://notcve.org/view.php?id=CVE-2023-26038
25 Feb 2023 — ZoneMinder is a free, open source Closed-circuit television software application for Linux which supports IP, USB and Analog cameras. Versions prior to 1.36.33 and 1.37.33 contain a Local File Inclusion (Untrusted Search Path) vulnerability via web/ajax/modal.php, where an arbitrary php file path can be passed in the request and loaded. This issue is patched in versions 1.36.33 and 1.37.33. • https://github.com/ZoneMinder/zoneminder/security/advisories/GHSA-wrx3-r8c4-r24w • CWE-426: Untrusted Search Path •
CVSS: 10.0EPSS: 0%CPEs: 2EXPL: 0CVE-2023-26037 – ZoneMinder contains SQL Injection via report_event_audit
https://notcve.org/view.php?id=CVE-2023-26037
25 Feb 2023 — ZoneMinder is a free, open source Closed-circuit television software application for Linux which supports IP, USB and Analog cameras. Versions prior to 1.36.33 and 1.37.33 contain an SQL Injection. The minTime and maxTime request parameters are not properly validated and could be used execute arbitrary SQL. This issue is fixed in versions 1.36.33 and 1.37.33. • https://github.com/ZoneMinder/zoneminder/security/advisories/GHSA-65jp-2hj3-3733 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 10.0EPSS: 0%CPEs: 2EXPL: 1CVE-2023-26036 – ZoneMinder contains Local File Inclusion vulnerability
https://notcve.org/view.php?id=CVE-2023-26036
25 Feb 2023 — ZoneMinder is a free, open source Closed-circuit television software application for Linux which supports IP, USB and Analog cameras. Versions prior to 1.36.33 and 1.37.33 contain a Local File Inclusion (Untrusted Search Path) vulnerability via /web/index.php. By controlling $view, any local file ending in .php can be executed. This is supposed to be mitigated by calling detaintPath, however dentaintPath does not properly sandbox the path. This can be exploited by constructing paths like "..././", which get... • https://github.com/ZoneMinder/zoneminder/security/advisories/GHSA-h5m9-6jjc-cgmw • CWE-426: Untrusted Search Path •