CVSS: 9.8EPSS: 2%CPEs: 1EXPL: 0CVE-2018-1000833
https://notcve.org/view.php?id=CVE-2018-1000833
20 Dec 2018 — ZoneMinder version <= 1.32.2 contains a Other/Unknown vulnerability in User-controlled parameter that can result in Disclosure of confidential data, denial of service, SSRF, remote code execution. ZoneMinder, en versiones iguales o anteriores a la 1.32.2, contiene una vulnerabilidad desconocida en el parámetro controlado por el usuario que puede resultar en la divulgación de datos confidenciales, una denegación de servicio (DoS), Server-Side Request Forgery (SSRF) o la ejecución remota de código. • https://0dd.zone/2018/10/28/zoneminder-Object-Injection-2 • CWE-502: Deserialization of Untrusted Data •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2017-7203
https://notcve.org/view.php?id=CVE-2017-7203
21 Mar 2017 — A Cross-Site Scripting (XSS) was discovered in ZoneMinder before 1.30.2. The vulnerability exists due to insufficient filtration of user-supplied data (postLoginQuery) passed to the "ZoneMinder-master/web/skins/classic/views/js/postlogin.js.php" URL. An attacker could execute arbitrary HTML and script code in a browser in the context of the vulnerable website. Se descubrió un Cross-Site Scripting (XSS) en ZoneMinder en versiones anteriores a la 1.30.2. La vulnerabilidad existe por el filtrado insuficiente d... • http://www.securityfocus.com/bid/97001 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 2CVE-2016-10201
https://notcve.org/view.php?id=CVE-2016-10201
03 Mar 2017 — Cross-site scripting (XSS) vulnerability in Zoneminder 1.30 and earlier allows remote attackers to inject arbitrary web script or HTML via the format parameter in a download log request to index.php. Vulnerabilidad de XSS en Zoneminder 1.30 y versiones anteriores permite a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a través del parámetro de formato en una solicitud de registro de descarga a index.php. • http://www.openwall.com/lists/oss-security/2017/02/05/1 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 2CVE-2016-10202
https://notcve.org/view.php?id=CVE-2016-10202
03 Mar 2017 — Cross-site scripting (XSS) vulnerability in Zoneminder 1.30 and earlier allows remote attackers to inject arbitrary web script or HTML via the path info to index.php. Vulnerabilidad de XSS en Zoneminder 1.30 y versiones anteriores permite a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a través de la ruta info a index.php. • http://www.openwall.com/lists/oss-security/2017/02/05/1 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 2CVE-2016-10203
https://notcve.org/view.php?id=CVE-2016-10203
03 Mar 2017 — Cross-site scripting (XSS) vulnerability in Zoneminder 1.30 and earlier allows remote attackers to inject arbitrary web script or HTML via the name when creating a new monitor. Vulnerabilidad de XSS en Zoneminder 1.30 y versiones anteriores permite a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a través del nombre al crear un nuevo monitor. • http://www.openwall.com/lists/oss-security/2017/02/05/1 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 2CVE-2016-10204
https://notcve.org/view.php?id=CVE-2016-10204
03 Mar 2017 — SQL injection vulnerability in Zoneminder 1.30 and earlier allows remote attackers to execute arbitrary SQL commands via the limit parameter in a log query request to index.php. Vulnerabilidad de inyección SQL en Zoneminder 1.30 y versiones anteriores permite a atacantes remotos ejecutar comandos SQL arbitrarios a través del parámetro limit en una solicitud de consulta de registro a index.php. • http://www.openwall.com/lists/oss-security/2017/02/05/1 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 2CVE-2016-10205
https://notcve.org/view.php?id=CVE-2016-10205
03 Mar 2017 — Session fixation vulnerability in Zoneminder 1.30 and earlier allows remote attackers to hijack web sessions via the ZMSESSID cookie. Vulnerabilidad de reparación de sesión en Zoneminder 1.30 y versiones anteriores permite a atacantes remotos secuestrar sesiones web a través de la cookie ZMSESSID. • http://www.openwall.com/lists/oss-security/2017/02/05/1 • CWE-384: Session Fixation •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 2CVE-2016-10206
https://notcve.org/view.php?id=CVE-2016-10206
03 Mar 2017 — Cross-site request forgery (CSRF) vulnerability in Zoneminder 1.30 and earlier allows remote attackers to hijack the authentication of users for requests that change passwords and possibly have unspecified other impact as demonstrated by a crafted user action request to index.php. Vulnerabilidad de CSRF en Zoneminder 1.30 y versiones anteriores permite a atacantes remotos secuestrar la autenticación de usuarios para solicitudes que cambian contraseñas y posiblemente tener otro impacto no especificado como s... • http://www.openwall.com/lists/oss-security/2017/02/05/1 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 6.1EPSS: 0%CPEs: 2EXPL: 3CVE-2017-5367 – ZoneMinder XSS / CSRF / File Disclosure / Authentication Bypass
https://notcve.org/view.php?id=CVE-2017-5367
06 Feb 2017 — Multiple reflected XSS vulnerabilities exist within form and link input parameters of ZoneMinder v1.30 and v1.29, an open-source CCTV server web application, which allows a remote attacker to execute malicious scripts within an authenticated client's browser. The URL is /zm/index.php and sample parameters could include action=login&view=postlogin[XSS] view=console[XSS] view=groups[XSS] view=events&filter[terms][1][cnj]=and[XSS] view=events&filter%5Bterms%5D%5B1%5D%5Bcnj%5D=and[XSS] view=events&filter%5Bterm... • https://packetstorm.news/files/id/140927 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 0%CPEs: 2EXPL: 3CVE-2017-5368 – ZoneMinder XSS / CSRF / File Disclosure / Authentication Bypass
https://notcve.org/view.php?id=CVE-2017-5368
06 Feb 2017 — ZoneMinder v1.30 and v1.29, an open-source CCTV server web application, is vulnerable to CSRF (Cross Site Request Forgery) which allows a remote attack to make changes to the web application as the current logged in victim. If the victim visits a malicious web page, the attacker can silently and automatically create a new admin user within the web application for remote persistence and further attacks. The URL is /zm/index.php and sample parameters could include action=user uid=0 newUser[Username]=attacker1... • https://packetstorm.news/files/id/140927 • CWE-352: Cross-Site Request Forgery (CSRF) •