Page 4 of 67 results (0.003 seconds)

CVSS: 9.1EPSS: 0%CPEs: 2EXPL: 1

ZoneMinder is a free, open source Closed-circuit television software application. In affected versions the ZoneMinder API Exposes Database Log contents to user without privileges, allows insertion, modification, deletion of logs without System Privileges. Users are advised yo upgrade as soon as possible. Users unable to upgrade should disable database logging. ZoneMinder es una aplicación de software de televisión en circuito cerrado, gratuita y de código abierto. • https://github.com/ZoneMinder/zoneminder/commit/34ffd92bf123070cab6c83ad4cfe6297dd0ed0b4 https://github.com/ZoneMinder/zoneminder/security/advisories/GHSA-mpcx-3gvh-9488 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-287: Improper Authentication CWE-862: Missing Authorization •

CVSS: 7.6EPSS: 0%CPEs: 2EXPL: 2

ZoneMinder is a free, open source Closed-circuit television software application The file parameter is vulnerable to a cross site scripting vulnerability (XSS) by backing out of the current "tr" "td" brackets. This then allows a malicious user to provide code that will execute when a user views the specific log on the "view=log" page. This vulnerability allows an attacker to store code within the logs that will be executed when loaded by a legitimate user. These actions will be performed with the permission of the victim. This could lead to data loss and/or further exploitation including account takeover. • https://www.exploit-db.com/exploits/51071 http://packetstormsecurity.com/files/171498/Zoneminder-Log-Injection-XSS-Cross-Site-Request-Forgery.html https://github.com/ZoneMinder/zoneminder/commit/c0a4c05e84eea0f6ccf7169c014efe5422c9ba0d https://github.com/ZoneMinder/zoneminder/commit/d289eb48601a76e34feea3c1683955337b1fae59 https://github.com/ZoneMinder/zoneminder/security/advisories/GHSA-h6xp-cvwv-q433 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 9.8EPSS: 35%CPEs: 1EXPL: 2

ZoneMinder before 1.36.13 allows remote code execution via an invalid language. Ability to create a debug log file at an arbitrary pathname contributes to exploitability. ZoneMinder antes de la versión 1.36.13 permite la ejecución remota de código a través de un lenguaje no válido. La capacidad de crear un archivo de registro de depuración en una ruta arbitraria contribuye a la explotabilidad • http://packetstormsecurity.com/files/166980/ZoneMinder-Language-Settings-Remote-Code-Execution.html https://forums.zoneminder.com/viewtopic.php?t=31638 https://github.com/ZoneMinder/zoneminder/commit/9fee64b62fbdff5bf5ece1d617f1f53c7b1967cb https://github.com/ZoneMinder/zoneminder/releases/tag/1.36.13 https://krastanoel.com/cve/2022-29806 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •

CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0

ZoneMinder before 1.34.21 has XSS via the connkey parameter to download.php or export.php. ZoneMinder versiones anteriores a 1.34.21, presenta una vulnerabilidad de tipo XSS por medio del parámetro connkey para los archivos download.php o export.php • https://forums.zoneminder.com/viewforum.php?f=1 https://github.com/ZoneMinder/zoneminder/commit/9268db14a79c4ccd444c2bf8d24e62b13207b413 https://github.com/ZoneMinder/zoneminder/releases/tag/1.34.21 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 1

ZoneMinder before 1.32.3 has SQL Injection via the ajax/status.php sort parameter. ZoneMinder, en versiones anteriores a la 1.32.3, tiene una inyección SQL mediante el parámetro sort en ajax/status.php. • https://github.com/LoRexxar/CVE_Request/tree/master/zoneminder%20vul%20before%20v1.32.3#ajaxstatusphp-line-276-orderby-sql-injection https://www.seebug.org/vuldb/ssvid-97763 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •