Note:
This project will be discontinued after December 13, 2021. [more]
Product:
Zoneminder
(Zoneminder)Repositories |
• https://github.com/ZoneMinder/zoneminder
• https://github.com/ZoneMinder/ZoneMinder • https://github.com/mnoorenberghe/ZoneMinder |
#Vulnerabilities | 76 |
Date | Id | Summary | Products | Score | Patch | Annotated |
---|---|---|---|---|---|---|
2023-02-25 | CVE-2023-26036 | ZoneMinder is a free, open source Closed-circuit television software application for Linux which supports IP, USB and Analog cameras. Versions prior to 1.36.33 and 1.37.33 contain a Local File Inclusion (Untrusted Search Path) vulnerability via /web/index.php. By controlling $view, any local file ending in .php can be executed. This is supposed to be mitigated by calling detaintPath, however dentaintPath does not properly sandbox the path. This can be exploited by constructing paths like... | Zoneminder | 9.8 | ||
2023-02-25 | CVE-2023-26037 | ZoneMinder is a free, open source Closed-circuit television software application for Linux which supports IP, USB and Analog cameras. Versions prior to 1.36.33 and 1.37.33 contain an SQL Injection. The minTime and maxTime request parameters are not properly validated and could be used execute arbitrary SQL. This issue is fixed in versions 1.36.33 and 1.37.33. | Zoneminder | 9.8 | ||
2023-02-25 | CVE-2023-26038 | ZoneMinder is a free, open source Closed-circuit television software application for Linux which supports IP, USB and Analog cameras. Versions prior to 1.36.33 and 1.37.33 contain a Local File Inclusion (Untrusted Search Path) vulnerability via web/ajax/modal.php, where an arbitrary php file path can be passed in the request and loaded. This issue is patched in versions 1.36.33 and 1.37.33. | Zoneminder | 6.5 | ||
2023-02-25 | CVE-2023-26039 | ZoneMinder is a free, open source Closed-circuit television software application for Linux which supports IP, USB and Analog cameras. Versions prior to 1.36.33 and 1.37.33 contain an OS Command Injection via daemonControl() in (/web/api/app/Controller/HostController.php). Any authenticated user can construct an api command to execute any shell command as the web user. This issue is patched in versions 1.36.33 and 1.37.33. | Zoneminder | 8.8 | ||
2019-06-30 | CVE-2019-13072 | Stored XSS in the Filters page (Name field) in ZoneMinder 1.32.3 allows a malicious user to embed and execute JavaScript code in the browser of any user who navigates to this page. | Zoneminder | 5.4 | ||
2022-04-26 | CVE-2022-29806 | ZoneMinder before 1.36.13 allows remote code execution via an invalid language. Ability to create a debug log file at an arbitrary pathname contributes to exploitability. | Zoneminder | 9.8 | ||
2019-02-17 | CVE-2019-8429 | ZoneMinder before 1.32.3 has SQL Injection via the ajax/status.php filter[Query][terms][0][cnj] parameter. | Zoneminder | 9.8 | ||
2019-02-17 | CVE-2019-8428 | ZoneMinder before 1.32.3 has SQL Injection via the skins/classic/views/control.php groupSql parameter, as demonstrated by a newGroup[MonitorIds][] value. | Zoneminder | 9.8 | ||
2019-02-17 | CVE-2019-8427 | daemonControl in includes/functions.php in ZoneMinder before 1.32.3 allows command injection via shell metacharacters. | Zoneminder | 9.8 | ||
2019-02-17 | CVE-2019-8426 | skins/classic/views/controlcap.php in ZoneMinder before 1.32.3 has XSS via the newControl array, as demonstrated by the newControl[MinTiltRange] parameter. | Zoneminder | 6.1 |