ZoneMinder is a free, open source Closed-circuit television software application for Linux which supports IP, USB and Analog cameras. Versions prior to 1.36.33 and 1.37.33 contain an OS Command Injection via daemonControl() in (/web/api/app/Controller/HostController.php). Any authenticated user can construct an api command to execute any shell command as the web user. This issue is patched in versions 1.36.33 and 1.37.33.
Max CVSS
8.8
EPSS Score
0.12%
Published
2023-02-25
Updated
2023-03-07
ZoneMinder is a free, open source Closed-circuit television software application for Linux which supports IP, USB and Analog cameras. Versions prior to 1.36.33 and 1.37.33 contain a Local File Inclusion (Untrusted Search Path) vulnerability via web/ajax/modal.php, where an arbitrary php file path can be passed in the request and loaded. This issue is patched in versions 1.36.33 and 1.37.33.
Max CVSS
6.5
EPSS Score
0.07%
Published
2023-02-25
Updated
2023-03-07
ZoneMinder is a free, open source Closed-circuit television software application for Linux which supports IP, USB and Analog cameras. Versions prior to 1.36.33 and 1.37.33 contain an SQL Injection. The minTime and maxTime request parameters are not properly validated and could be used execute arbitrary SQL. This issue is fixed in versions 1.36.33 and 1.37.33.
Max CVSS
9.8
EPSS Score
0.12%
Published
2023-02-25
Updated
2023-03-07
ZoneMinder is a free, open source Closed-circuit television software application for Linux which supports IP, USB and Analog cameras. Versions prior to 1.36.33 and 1.37.33 contain a Local File Inclusion (Untrusted Search Path) vulnerability via /web/index.php. By controlling $view, any local file ending in .php can be executed. This is supposed to be mitigated by calling detaintPath, however dentaintPath does not properly sandbox the path. This can be exploited by constructing paths like "..././", which get replaced by "../". This issue is patched in versions 1.36.33 and 1.37.33.
Max CVSS
9.8
EPSS Score
0.15%
Published
2023-02-25
Updated
2023-03-07

CVE-2023-26035

Public exploit
ZoneMinder is a free, open source Closed-circuit television software application for Linux which supports IP, USB and Analog cameras. Versions prior to 1.36.33 and 1.37.33 are vulnerable to Unauthenticated Remote Code Execution via Missing Authorization. There are no permissions check on the snapshot action, which expects an id to fetch an existing monitor but can be passed an object to create a new one instead. TriggerOn ends up calling shell_exec using the supplied Id. This issue is fixed in This issue is fixed in versions 1.36.33 and 1.37.33.
Max CVSS
9.8
EPSS Score
97.00%
Published
2023-02-25
Updated
2023-11-14
ZoneMinder is a free, open source Closed-circuit television software application for Linux which supports IP, USB and Analog cameras. Versions prior to 1.36.33 and 1.37.33 are affected by a SQL Injection vulnerability. The (blind) SQL Injection vulnerability is present within the `filter[Query][terms][0][attr]` query string parameter of the `/zm/index.php` endpoint. A user with the View or Edit permissions of Events may execute arbitrary SQL. The resulting impact can include unauthorized data access (and modification), authentication and/or authorization bypass, and remote code execution.
Max CVSS
9.6
EPSS Score
0.13%
Published
2023-02-25
Updated
2023-03-07
ZoneMinder is a free, open source Closed-circuit television software application for Linux which supports IP, USB and Analog cameras. Versions prior to 1.36.33 and 1.37.33 contain SQL Injection via malicious jason web token. The Username field of the JWT token was trusted when performing an SQL query to load the user. If an attacker could determine the HASH key used by ZoneMinder, they could generate a malicious JWT token and use it to execute arbitrary SQL. This issue is fixed in versions 1.36.33 and 1.37.33.
Max CVSS
8.9
EPSS Score
0.12%
Published
2023-02-25
Updated
2023-03-07
ZoneMinder is a free, open source Closed-circuit television software application for Linux which supports IP, USB and Analog cameras. Versions prior to 1.36.33 are vulnerable to Cross-site Scripting. Log entries can be injected into the database logs, containing a malicious referrer field. This is unescaped when viewing the logs in the web ui. This issue is patched in version 1.36.33.
Max CVSS
7.7
EPSS Score
0.08%
Published
2023-02-25
Updated
2023-03-07
ZoneMinder is a free, open source Closed-circuit television software application. Affected versions of zoneminder are subject to a vulnerability which allows users with "View" system permissions to inject new data into the logs stored by Zoneminder. This was observed through an HTTP POST request containing log information to the "/zm/index.php" endpoint. Submission is not rate controlled and could affect database performance and/or consume all storage resources. Users are advised to upgrade. There are no known workarounds for this issue.
Max CVSS
5.4
EPSS Score
0.08%
Published
2022-10-07
Updated
2023-03-27
ZoneMinder is a free, open source Closed-circuit television software application. In affected versions authenticated users can bypass CSRF keys by modifying the request supplied to the Zoneminder web application. These modifications include replacing HTTP POST with an HTTP GET and removing the CSRF key from the request. An attacker can take advantage of this by using an HTTP GET request to perform actions with no CSRF protection. This could allow an attacker to cause an authenticated user to perform unexpected actions on the web application. Users are advised to upgrade as soon as possible. There are no known workarounds for this issue.
Max CVSS
8.0
EPSS Score
0.08%
Published
2022-10-07
Updated
2023-03-27
ZoneMinder is a free, open source Closed-circuit television software application. In affected versions the ZoneMinder API Exposes Database Log contents to user without privileges, allows insertion, modification, deletion of logs without System Privileges. Users are advised yo upgrade as soon as possible. Users unable to upgrade should disable database logging.
Max CVSS
9.1
EPSS Score
0.07%
Published
2022-10-07
Updated
2023-07-14
ZoneMinder is a free, open source Closed-circuit television software application The file parameter is vulnerable to a cross site scripting vulnerability (XSS) by backing out of the current "tr" "td" brackets. This then allows a malicious user to provide code that will execute when a user views the specific log on the "view=log" page. This vulnerability allows an attacker to store code within the logs that will be executed when loaded by a legitimate user. These actions will be performed with the permission of the victim. This could lead to data loss and/or further exploitation including account takeover. This issue has been addressed in versions `1.36.27` and `1.37.24`. Users are advised to upgrade. Users unable to upgrade should disable database logging.
Max CVSS
7.6
EPSS Score
0.08%
Published
2022-10-07
Updated
2023-03-27
Session fixation exists in ZoneMinder through 1.36.12 as an attacker can poison a session cookie to the next logged-in user.
Max CVSS
4.6
EPSS Score
0.05%
Published
2022-11-15
Updated
2022-11-17
A Stored Cross Site Scripting (XSS) issue in ZoneMinder 1.36.12 allows an attacker to execute HTML or JavaScript code via the Username field when an Admin (or non-Admin users that can see other users logged into the platform) clicks on Logout. NOTE: this exists in later versions than CVE-2019-7348 and requires a different attack method.
Max CVSS
5.4
EPSS Score
0.05%
Published
2022-11-15
Updated
2022-11-18

CVE-2022-29806

Public exploit
ZoneMinder before 1.36.13 allows remote code execution via an invalid language. Ability to create a debug log file at an arbitrary pathname contributes to exploitability.
Max CVSS
9.8
EPSS Score
38.40%
Published
2022-04-26
Updated
2022-05-06
ZoneMinder before 1.34.21 has XSS via the connkey parameter to download.php or export.php.
Max CVSS
6.1
EPSS Score
0.08%
Published
2020-09-17
Updated
2020-09-24
Stored XSS in the Filters page (Name field) in ZoneMinder 1.32.3 allows a malicious user to embed and execute JavaScript code in the browser of any user who navigates to this page.
Max CVSS
5.4
EPSS Score
0.12%
Published
2019-06-30
Updated
2023-01-30
ZoneMinder before 1.32.3 has SQL Injection via the ajax/status.php filter[Query][terms][0][cnj] parameter.
Max CVSS
9.8
EPSS Score
0.15%
Published
2019-02-18
Updated
2019-02-19
ZoneMinder before 1.32.3 has SQL Injection via the skins/classic/views/control.php groupSql parameter, as demonstrated by a newGroup[MonitorIds][] value.
Max CVSS
9.8
EPSS Score
0.15%
Published
2019-02-18
Updated
2019-02-19
daemonControl in includes/functions.php in ZoneMinder before 1.32.3 allows command injection via shell metacharacters.
Max CVSS
9.8
EPSS Score
0.23%
Published
2019-02-18
Updated
2020-08-24
skins/classic/views/controlcap.php in ZoneMinder before 1.32.3 has XSS via the newControl array, as demonstrated by the newControl[MinTiltRange] parameter.
Max CVSS
6.1
EPSS Score
0.07%
Published
2019-02-18
Updated
2019-02-19
includes/database.php in ZoneMinder before 1.32.3 has XSS in the construction of SQL-ERR messages.
Max CVSS
6.1
EPSS Score
0.07%
Published
2019-02-18
Updated
2019-02-19
ZoneMinder before 1.32.3 has SQL Injection via the ajax/status.php sort parameter.
Max CVSS
9.8
EPSS Score
0.15%
Published
2019-02-18
Updated
2019-02-19
ZoneMinder through 1.32.3 has SQL Injection via the skins/classic/views/events.php filter[Query][terms][0][cnj] parameter.
Max CVSS
9.8
EPSS Score
0.15%
Published
2019-02-18
Updated
2019-02-19
Self - Stored Cross Site Scripting (XSS) exists in ZoneMinder through 1.32.3, as the view 'state' (aka Run State) (state.php) does no input validation to the value supplied to the 'New State' (aka newState) field, allowing an attacker to execute HTML or JavaScript code.
Max CVSS
6.1
EPSS Score
0.08%
Published
2019-02-04
Updated
2019-02-04
77 vulnerabilities found
1 2 3 4
This web site uses cookies for managing your session, storing preferences, website analytics and additional purposes described in our privacy policy.
By using this web site you are agreeing to CVEdetails.com terms of use!