CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2019-8425
https://notcve.org/view.php?id=CVE-2019-8425
18 Feb 2019 — includes/database.php in ZoneMinder before 1.32.3 has XSS in the construction of SQL-ERR messages. includes/database.php en ZoneMinder, en versiones anteriores a la 1.32.3, tiene Cross-Site Scripting (XSS) en la construcción de mensajes SQL-ERR. • https://github.com/LoRexxar/CVE_Request/tree/master/zoneminder%20vul%20before%20v1.32.3#sql-query-error-reflected-xss • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 1CVE-2019-8423
https://notcve.org/view.php?id=CVE-2019-8423
18 Feb 2019 — ZoneMinder through 1.32.3 has SQL Injection via the skins/classic/views/events.php filter[Query][terms][0][cnj] parameter. ZoneMinder, hasta la versión 1.32.3, tiene una inyección SQL mediante el parámetro filter[Query][terms][0][cnj] en skins/classic/views/events.php. • https://github.com/LoRexxar/CVE_Request/tree/master/zoneminder%20vul%20before%20v1.32.3#skinsclassicviewseventsphp-line-44-sql-injection • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 9.8EPSS: 4%CPEs: 1EXPL: 1CVE-2019-8427
https://notcve.org/view.php?id=CVE-2019-8427
18 Feb 2019 — daemonControl in includes/functions.php in ZoneMinder before 1.32.3 allows command injection via shell metacharacters. daemonControl en includes/functions.php en ZoneMinder, en versiones anteriores a la 1.32.3, permite la inyección de comandos mediante metacaracteres shell. • https://github.com/LoRexxar/CVE_Request/tree/master/zoneminder%20vul%20before%20v1.32.3#includesfunctionsphp-daemoncontrol-command-injection • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2019-8426
https://notcve.org/view.php?id=CVE-2019-8426
18 Feb 2019 — skins/classic/views/controlcap.php in ZoneMinder before 1.32.3 has XSS via the newControl array, as demonstrated by the newControl[MinTiltRange] parameter. skins/classic/views/controlcap.php en ZoneMinder, en versiones anteriores a la 1.32.3, tiene Cross-Site Scripting (XSS) mediante el array newControl, tal y como queda demostrado con el parámetro newControl[MinTiltRange]. • https://github.com/LoRexxar/CVE_Request/tree/master/zoneminder%20vul%20before%20v1.32.3#skinsclassicviewscontrolcapphp-reflected-xss • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 1CVE-2019-8424
https://notcve.org/view.php?id=CVE-2019-8424
18 Feb 2019 — ZoneMinder before 1.32.3 has SQL Injection via the ajax/status.php sort parameter. ZoneMinder, en versiones anteriores a la 1.32.3, tiene una inyección SQL mediante el parámetro sort en ajax/status.php. • https://github.com/LoRexxar/CVE_Request/tree/master/zoneminder%20vul%20before%20v1.32.3#ajaxstatusphp-line-276-orderby-sql-injection • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 1CVE-2019-8429
https://notcve.org/view.php?id=CVE-2019-8429
18 Feb 2019 — ZoneMinder before 1.32.3 has SQL Injection via the ajax/status.php filter[Query][terms][0][cnj] parameter. ZoneMinder, en versiones anteriores a la 1.32.3, tiene una inyección SQL mediante el parámetro filter[Query][terms][0][cnj] en ajax/status.php. • https://github.com/LoRexxar/CVE_Request/tree/master/zoneminder%20vul%20before%20v1.32.3#ajaxstatusphp-line-393-sql-injection • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2019-7344
https://notcve.org/view.php?id=CVE-2019-7344
04 Feb 2019 — Reflected XSS exists in ZoneMinder through 1.32.3, allowing an attacker to execute HTML or JavaScript code in the view 'filter' as it insecurely prints the 'filter[Name]' (aka Filter name) value on the web page without applying any proper filtration. Existe Cross-Site Scripting (XSS) reflejado en ZoneMinder, hasta la versión 1.32.3, lo que permite que un atacante ejecute código HTML o JavaScript en la vista "filter", ya que imprime el valor de "filter[Name]" (también conocido como Filter name) de forma inse... • https://github.com/ZoneMinder/zoneminder/issues/2455 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2019-7335
https://notcve.org/view.php?id=CVE-2019-7335
04 Feb 2019 — Self - Stored XSS exists in ZoneMinder through 1.32.3, allowing an attacker to execute HTML or JavaScript code in the view 'log' as it insecurely prints the 'Log Message' value on the web page without applying any proper filtration. This relates to the view=logs value. Existe autocross-Site Scripting (XSS) persistente en ZoneMinder, hasta la versión 1.32.3, lo que permite que un atacante ejecute código HTML o JavaScript en la vista "log" ya que imprime el valor de "Log Message" de forma insegura en la págin... • https://github.com/ZoneMinder/zoneminder/issues/2453 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2019-7342
https://notcve.org/view.php?id=CVE-2019-7342
04 Feb 2019 — POST - Cross Site Scripting (XSS) exists in ZoneMinder through 1.32.3, allowing an attacker to execute HTML or JavaScript code via a vulnerable 'filter[AutoExecuteCmd]' parameter value in the view filter (filter.php) because proper filtration is omitted. Existe POST- Site Scripting (XSS) reflejado en ZoneMinder, hasta la versión 1.32.3, lo que permite que un atacante ejecute código HTML o JavaScript mediante un valor del parámetro "filter[AutoExecuteCmd]" vulnerable en la vista de filtros (filter.php) debid... • https://github.com/ZoneMinder/zoneminder/issues/2461 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 1CVE-2019-7351
https://notcve.org/view.php?id=CVE-2019-7351
04 Feb 2019 — Log Injection exists in ZoneMinder through 1.32.3, as an attacker can entice the victim to visit a specially crafted link, which in turn will inject a custom Log message provided by the attacker in the 'log' view page, as demonstrated by the message=User%20'admin'%20Logged%20in value. Existe una inyección de registros en ZoneMinder, hasta la versión 1.32.3, ya que un atacante puede engañar a la víctima para que visite un enlace especialmente manipulado, que a su vez inyectará un mensaje de registro personal... • https://github.com/ZoneMinder/zoneminder/issues/2466 • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') •