CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 2CVE-2016-10204
https://notcve.org/view.php?id=CVE-2016-10204
SQL injection vulnerability in Zoneminder 1.30 and earlier allows remote attackers to execute arbitrary SQL commands via the limit parameter in a log query request to index.php. Vulnerabilidad de inyección SQL en Zoneminder 1.30 y versiones anteriores permite a atacantes remotos ejecutar comandos SQL arbitrarios a través del parámetro limit en una solicitud de consulta de registro a index.php. • http://www.openwall.com/lists/oss-security/2017/02/05/1 https://www.foxmole.com/advisories/foxmole-2016-07-05.txt • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 2CVE-2016-10205
https://notcve.org/view.php?id=CVE-2016-10205
Session fixation vulnerability in Zoneminder 1.30 and earlier allows remote attackers to hijack web sessions via the ZMSESSID cookie. Vulnerabilidad de reparación de sesión en Zoneminder 1.30 y versiones anteriores permite a atacantes remotos secuestrar sesiones web a través de la cookie ZMSESSID. • http://www.openwall.com/lists/oss-security/2017/02/05/1 http://www.securityfocus.com/bid/97116 https://www.foxmole.com/advisories/foxmole-2016-07-05.txt • CWE-384: Session Fixation •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 2CVE-2016-10202
https://notcve.org/view.php?id=CVE-2016-10202
Cross-site scripting (XSS) vulnerability in Zoneminder 1.30 and earlier allows remote attackers to inject arbitrary web script or HTML via the path info to index.php. Vulnerabilidad de XSS en Zoneminder 1.30 y versiones anteriores permite a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a través de la ruta info a index.php. • http://www.openwall.com/lists/oss-security/2017/02/05/1 https://www.foxmole.com/advisories/foxmole-2016-07-05.txt • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 2CVE-2016-10206
https://notcve.org/view.php?id=CVE-2016-10206
Cross-site request forgery (CSRF) vulnerability in Zoneminder 1.30 and earlier allows remote attackers to hijack the authentication of users for requests that change passwords and possibly have unspecified other impact as demonstrated by a crafted user action request to index.php. Vulnerabilidad de CSRF en Zoneminder 1.30 y versiones anteriores permite a atacantes remotos secuestrar la autenticación de usuarios para solicitudes que cambian contraseñas y posiblemente tener otro impacto no especificado como se demuestra por una solicitud de acción de usuario a index.php manipulada. • http://www.openwall.com/lists/oss-security/2017/02/05/1 http://www.securityfocus.com/bid/97114 https://www.foxmole.com/advisories/foxmole-2016-07-05.txt • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 6.1EPSS: 0%CPEs: 2EXPL: 2CVE-2017-5367 – ZoneMinder XSS / CSRF / File Disclosure / Authentication Bypass
https://notcve.org/view.php?id=CVE-2017-5367
Multiple reflected XSS vulnerabilities exist within form and link input parameters of ZoneMinder v1.30 and v1.29, an open-source CCTV server web application, which allows a remote attacker to execute malicious scripts within an authenticated client's browser. The URL is /zm/index.php and sample parameters could include action=login&view=postlogin[XSS] view=console[XSS] view=groups[XSS] view=events&filter[terms][1][cnj]=and[XSS] view=events&filter%5Bterms%5D%5B1%5D%5Bcnj%5D=and[XSS] view=events&filter%5Bterms%5D%5B1%5D%5Bcnj%5D=[XSS]and view=events&limit=1%22%3E%3C/a%3E[XSS] (among others). Existen múltiples vulnerabilidades XSS reflejadas dentro de los parámetros de entrada de formulario y enlace de ZoneMinder v1.30 y v1.29, una aplicación web de servidor CCTV de código abierto, lo que permite a un atacante remoto ejecutar secuencias de comandos maliciosos dentro del navegador de un cliente autenticado. La URL es /zm/index.php y los parámetros de muestra podrían incluir action=login&view=postlogin[XSS] view=console[XSS] view=groups[XSS] view=events&filter[terms][1][cnj]=and[XSS] view=events&filter%5Bterms%5D%5B1%5D%5Bcnj%5D=and[XSS] view=events&filter%5Bterms%5D%5B1%5D%5Bcnj%5D=[XSS]and view=events&limit=1%22%3E%3C/a%3E[XSS] (entre otros). Various ZoneMinder versions suffer from authentication bypass, cross site request forgery, cross site scripting, information disclosure, and file disclosure vulnerabilities. • http://seclists.org/bugtraq/2017/Feb/6 http://seclists.org/fulldisclosure/2017/Feb/11 http://www.securityfocus.com/bid/96120 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •