CVSS: 9.8EPSS: 87%CPEs: 1EXPL: 3CVE-2022-29806 – Ubuntu Security Notice USN-5889-1
https://notcve.org/view.php?id=CVE-2022-29806
26 Apr 2022 — ZoneMinder before 1.36.13 allows remote code execution via an invalid language. Ability to create a debug log file at an arbitrary pathname contributes to exploitability. ZoneMinder antes de la versión 1.36.13 permite la ejecución remota de código a través de un lenguaje no válido. La capacidad de crear un archivo de registro de depuración en una ruta arbitraria contribuye a la explotabilidad It was discovered that ZoneMinder was not properly sanitizing URL parameters for certain views. An attacker could po... • https://packetstorm.news/files/id/166980 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2020-25729
https://notcve.org/view.php?id=CVE-2020-25729
17 Sep 2020 — ZoneMinder before 1.34.21 has XSS via the connkey parameter to download.php or export.php. ZoneMinder versiones anteriores a 1.34.21, presenta una vulnerabilidad de tipo XSS por medio del parámetro connkey para los archivos download.php o export.php • https://forums.zoneminder.com/viewforum.php?f=1 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 2CVE-2019-13072
https://notcve.org/view.php?id=CVE-2019-13072
30 Jun 2019 — Stored XSS in the Filters page (Name field) in ZoneMinder 1.32.3 allows a malicious user to embed and execute JavaScript code in the browser of any user who navigates to this page. Un problema de tipo XSS almacenado en la página Filters (campo Name) en ZoneMinder versión 1.32.3, permite a un usuario malicioso insertar y ejecutar código JavaScript en el navegador de cualquier usuario que navegue en esta página. • https://github.com/ZoneMinder/zoneminder/issues/2642 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.8EPSS: 4%CPEs: 1EXPL: 1CVE-2019-8427
https://notcve.org/view.php?id=CVE-2019-8427
18 Feb 2019 — daemonControl in includes/functions.php in ZoneMinder before 1.32.3 allows command injection via shell metacharacters. daemonControl en includes/functions.php en ZoneMinder, en versiones anteriores a la 1.32.3, permite la inyección de comandos mediante metacaracteres shell. • https://github.com/LoRexxar/CVE_Request/tree/master/zoneminder%20vul%20before%20v1.32.3#includesfunctionsphp-daemoncontrol-command-injection • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 1CVE-2019-8428
https://notcve.org/view.php?id=CVE-2019-8428
18 Feb 2019 — ZoneMinder before 1.32.3 has SQL Injection via the skins/classic/views/control.php groupSql parameter, as demonstrated by a newGroup[MonitorIds][] value. ZoneMinder, en versiones anteriores a la 1.32.3, tiene una inyección SQL mediante el parámetro groupSql en skins/classic/views/control.php, tal y como queda demostrado con un nuevo valor newGroup[MonitorIds][]. • https://github.com/LoRexxar/CVE_Request/tree/master/zoneminder%20vul%20before%20v1.32.3#skinsclassicviewscontrolphp-line-35-second-order-sqli • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 1CVE-2019-8429
https://notcve.org/view.php?id=CVE-2019-8429
18 Feb 2019 — ZoneMinder before 1.32.3 has SQL Injection via the ajax/status.php filter[Query][terms][0][cnj] parameter. ZoneMinder, en versiones anteriores a la 1.32.3, tiene una inyección SQL mediante el parámetro filter[Query][terms][0][cnj] en ajax/status.php. • https://github.com/LoRexxar/CVE_Request/tree/master/zoneminder%20vul%20before%20v1.32.3#ajaxstatusphp-line-393-sql-injection • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 1CVE-2019-8423
https://notcve.org/view.php?id=CVE-2019-8423
18 Feb 2019 — ZoneMinder through 1.32.3 has SQL Injection via the skins/classic/views/events.php filter[Query][terms][0][cnj] parameter. ZoneMinder, hasta la versión 1.32.3, tiene una inyección SQL mediante el parámetro filter[Query][terms][0][cnj] en skins/classic/views/events.php. • https://github.com/LoRexxar/CVE_Request/tree/master/zoneminder%20vul%20before%20v1.32.3#skinsclassicviewseventsphp-line-44-sql-injection • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 1CVE-2019-8424
https://notcve.org/view.php?id=CVE-2019-8424
18 Feb 2019 — ZoneMinder before 1.32.3 has SQL Injection via the ajax/status.php sort parameter. ZoneMinder, en versiones anteriores a la 1.32.3, tiene una inyección SQL mediante el parámetro sort en ajax/status.php. • https://github.com/LoRexxar/CVE_Request/tree/master/zoneminder%20vul%20before%20v1.32.3#ajaxstatusphp-line-276-orderby-sql-injection • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2019-8425
https://notcve.org/view.php?id=CVE-2019-8425
18 Feb 2019 — includes/database.php in ZoneMinder before 1.32.3 has XSS in the construction of SQL-ERR messages. includes/database.php en ZoneMinder, en versiones anteriores a la 1.32.3, tiene Cross-Site Scripting (XSS) en la construcción de mensajes SQL-ERR. • https://github.com/LoRexxar/CVE_Request/tree/master/zoneminder%20vul%20before%20v1.32.3#sql-query-error-reflected-xss • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2019-8426
https://notcve.org/view.php?id=CVE-2019-8426
18 Feb 2019 — skins/classic/views/controlcap.php in ZoneMinder before 1.32.3 has XSS via the newControl array, as demonstrated by the newControl[MinTiltRange] parameter. skins/classic/views/controlcap.php en ZoneMinder, en versiones anteriores a la 1.32.3, tiene Cross-Site Scripting (XSS) mediante el array newControl, tal y como queda demostrado con el parámetro newControl[MinTiltRange]. • https://github.com/LoRexxar/CVE_Request/tree/master/zoneminder%20vul%20before%20v1.32.3#skinsclassicviewscontrolcapphp-reflected-xss • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •