CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 2CVE-2016-10206
https://notcve.org/view.php?id=CVE-2016-10206
03 Mar 2017 — Cross-site request forgery (CSRF) vulnerability in Zoneminder 1.30 and earlier allows remote attackers to hijack the authentication of users for requests that change passwords and possibly have unspecified other impact as demonstrated by a crafted user action request to index.php. Vulnerabilidad de CSRF en Zoneminder 1.30 y versiones anteriores permite a atacantes remotos secuestrar la autenticación de usuarios para solicitudes que cambian contraseñas y posiblemente tener otro impacto no especificado como s... • http://www.openwall.com/lists/oss-security/2017/02/05/1 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 2CVE-2016-10202
https://notcve.org/view.php?id=CVE-2016-10202
03 Mar 2017 — Cross-site scripting (XSS) vulnerability in Zoneminder 1.30 and earlier allows remote attackers to inject arbitrary web script or HTML via the path info to index.php. Vulnerabilidad de XSS en Zoneminder 1.30 y versiones anteriores permite a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a través de la ruta info a index.php. • http://www.openwall.com/lists/oss-security/2017/02/05/1 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 2CVE-2016-10201
https://notcve.org/view.php?id=CVE-2016-10201
03 Mar 2017 — Cross-site scripting (XSS) vulnerability in Zoneminder 1.30 and earlier allows remote attackers to inject arbitrary web script or HTML via the format parameter in a download log request to index.php. Vulnerabilidad de XSS en Zoneminder 1.30 y versiones anteriores permite a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a través del parámetro de formato en una solicitud de registro de descarga a index.php. • http://www.openwall.com/lists/oss-security/2017/02/05/1 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 2CVE-2016-10205
https://notcve.org/view.php?id=CVE-2016-10205
03 Mar 2017 — Session fixation vulnerability in Zoneminder 1.30 and earlier allows remote attackers to hijack web sessions via the ZMSESSID cookie. Vulnerabilidad de reparación de sesión en Zoneminder 1.30 y versiones anteriores permite a atacantes remotos secuestrar sesiones web a través de la cookie ZMSESSID. • http://www.openwall.com/lists/oss-security/2017/02/05/1 • CWE-384: Session Fixation •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 2CVE-2016-10203
https://notcve.org/view.php?id=CVE-2016-10203
03 Mar 2017 — Cross-site scripting (XSS) vulnerability in Zoneminder 1.30 and earlier allows remote attackers to inject arbitrary web script or HTML via the name when creating a new monitor. Vulnerabilidad de XSS en Zoneminder 1.30 y versiones anteriores permite a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a través del nombre al crear un nuevo monitor. • http://www.openwall.com/lists/oss-security/2017/02/05/1 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 2EXPL: 3CVE-2017-5367 – ZoneMinder XSS / CSRF / File Disclosure / Authentication Bypass
https://notcve.org/view.php?id=CVE-2017-5367
06 Feb 2017 — Multiple reflected XSS vulnerabilities exist within form and link input parameters of ZoneMinder v1.30 and v1.29, an open-source CCTV server web application, which allows a remote attacker to execute malicious scripts within an authenticated client's browser. The URL is /zm/index.php and sample parameters could include action=login&view=postlogin[XSS] view=console[XSS] view=groups[XSS] view=events&filter[terms][1][cnj]=and[XSS] view=events&filter%5Bterms%5D%5B1%5D%5Bcnj%5D=and[XSS] view=events&filter%5Bterm... • https://packetstorm.news/files/id/140927 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 1CVE-2017-5595 – ZoneMinder XSS / CSRF / File Disclosure / Authentication Bypass
https://notcve.org/view.php?id=CVE-2017-5595
06 Feb 2017 — A file disclosure and inclusion vulnerability exists in web/views/file.php in ZoneMinder 1.x through v1.30.0 because of unfiltered user-input being passed to readfile(), which allows an authenticated attacker to read local system files (e.g., /etc/passwd) in the context of the web server user (www-data). The attack vector is a .. (dot dot) in the path parameter within a zm/index.php?view=file&path= request. Existe una vulnerabilidad de divulgación e inclusión de archivos en web/views/file.php en ZoneMinder ... • https://packetstorm.news/files/id/140927 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 8.8EPSS: 0%CPEs: 2EXPL: 3CVE-2017-5368 – ZoneMinder XSS / CSRF / File Disclosure / Authentication Bypass
https://notcve.org/view.php?id=CVE-2017-5368
06 Feb 2017 — ZoneMinder v1.30 and v1.29, an open-source CCTV server web application, is vulnerable to CSRF (Cross Site Request Forgery) which allows a remote attack to make changes to the web application as the current logged in victim. If the victim visits a malicious web page, the attacker can silently and automatically create a new admin user within the web application for remote persistence and further attacks. The URL is /zm/index.php and sample parameters could include action=user uid=0 newUser[Username]=attacker1... • https://packetstorm.news/files/id/140927 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 7.5EPSS: 34%CPEs: 1EXPL: 2CVE-2016-10140 – ZoneMinder XSS / CSRF / File Disclosure / Authentication Bypass
https://notcve.org/view.php?id=CVE-2016-10140
13 Jan 2017 — Information disclosure and authentication bypass vulnerability exists in the Apache HTTP Server configuration bundled with ZoneMinder v1.30 and v1.29, which allows a remote unauthenticated attacker to browse all directories in the web root, e.g., a remote unauthenticated attacker can view all CCTV images on the server via the /events URI. La vulnerabilidad de desvío de autenticación y divulgación de información existe en la configuración del servidor HTTP de Apache incluida con ZoneMinder v1.30 y v1.29, que... • https://packetstorm.news/files/id/140927 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •