CVE-2024-51482 – Boolean-based SQL Injection in ZoneMinder v1.37.* <= 1.37.64
https://notcve.org/view.php?id=CVE-2024-51482
ZoneMinder is a free, open source closed-circuit television software application. ZoneMinder v1.37.* <= 1.37.64 is vulnerable to boolean-based SQL Injection in function of web/ajax/event.php. This is fixed in 1.37.64. ZoneMinder is a free, open source closed-circuit television software application. ZoneMinder v1.37.* <= 1.37.64 is vulnerable to boolean-based SQL Injection in function of web/ajax/event.php. • https://github.com/ZoneMinder/zoneminder/commit/9e7d31841ed9678a7dd06869037686fc9925e59f https://github.com/ZoneMinder/zoneminder/security/advisories/GHSA-qm8h-3xvf-m7j3 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVE-2024-43360 – ZoneMinder Time-based SQL Injection
https://notcve.org/view.php?id=CVE-2024-43360
ZoneMinder is a free, open source closed-circuit television software application. ZoneMinder is affected by a time-based SQL Injection vulnerability. This vulnerability is fixed in 1.36.34 and 1.37.61. • https://github.com/ZoneMinder/zoneminder/commit/677f6a31551f128554f7b0110a52fd76453a657a https://github.com/ZoneMinder/zoneminder/commit/a194fe81d34c5eea2ab1dc18dc8df615fca634a6 https://github.com/ZoneMinder/zoneminder/commit/bb07118118e23b5670c2c18be8be2cc6b8529397 https://github.com/ZoneMinder/zoneminder/commit/de8f387207e9c506e8e8007eda725741a25601c5 https://github.com/ZoneMinder/zoneminder/security/advisories/GHSA-9cmr-7437-v9fj • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVE-2024-43359 – XSS vulnerabilities in montagereview
https://notcve.org/view.php?id=CVE-2024-43359
ZoneMinder is a free, open source closed-circuit television software application. ZoneMinder has a cross-site scripting vulnerability in the montagereview via the displayinterval, speed, and scale parameters. This vulnerability is fixed in 1.36.34 and 1.37.61. • https://github.com/ZoneMinder/zoneminder/commit/6cc64dddff6144a98680f65ecf8dc249028431af https://github.com/ZoneMinder/zoneminder/commit/b51c5df0cb869ca48fccfc6e6fd7c19bf717ecd2 https://github.com/ZoneMinder/zoneminder/security/advisories/GHSA-pjjm-3qxp-6hj8 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2024-43358 – XSS vulnerability in filter view
https://notcve.org/view.php?id=CVE-2024-43358
ZoneMinder is a free, open source closed-circuit television software application. ZoneMinder has a cross-site scripting vulnerability in the filter view via the filter[Id]. This vulnerability is fixed in 1.36.34 and 1.37.61. • https://github.com/ZoneMinder/zoneminder/commit/062cf568a33fb6a8604ec327b1de8bb2e0d1ff77 https://github.com/ZoneMinder/zoneminder/commit/4602cd0470a3b90b18bcc44b3c86d963872d1ba0 https://github.com/ZoneMinder/zoneminder/security/advisories/GHSA-6rrw-66rf-6g5f • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2023-26039 – ZoneMinder vulnerable to OS Command injection in daemonControl() API
https://notcve.org/view.php?id=CVE-2023-26039
ZoneMinder is a free, open source Closed-circuit television software application for Linux which supports IP, USB and Analog cameras. Versions prior to 1.36.33 and 1.37.33 contain an OS Command Injection via daemonControl() in (/web/api/app/Controller/HostController.php). Any authenticated user can construct an api command to execute any shell command as the web user. This issue is patched in versions 1.36.33 and 1.37.33. • https://github.com/ZoneMinder/zoneminder/security/advisories/GHSA-44q8-h2pw-cc9g • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •