Debian Zoneminder vulnerabilities

CVE-2026-27470 [HIGH] CVE-2026-27470: zoneminder - ZoneMinder is a free, open source closed-circuit television software application... ZoneMinder is a free, open source closed-circuit television software application. In versions 1.36.37 and below and 1.37.61 through 1.38.0, there is a second-order SQL Injection vulnerability in the web/ajax/status.php file within the getNearEvents() function. Event field values (specifically Name and Cause) are stored safely via parameterized queries but are lat

CVE-2025-65791 [CRITICAL] CVE-2025-65791: zoneminder - ZoneMinder v1.36.34 is vulnerable to Command Injection in web/views/image.php. T... ZoneMinder v1.36.34 is vulnerable to Command Injection in web/views/image.php. The application passes unsanitized user input directly to the exec() function. NOTE: this is disputed by the Supplier because there is no unsanitized user input to web/views/image.php. Scope: local bookworm: open bullseye: open forky: open sid: open trixie: open

CVE-2024-43358 [MEDIUM] CVE-2024-43358: zoneminder - ZoneMinder is a free, open source closed-circuit television software application... ZoneMinder is a free, open source closed-circuit television software application. ZoneMinder has a cross-site scripting vulnerability in the filter view via the filter[Id]. This vulnerability is fixed in 1.36.34 and 1.37.61. Scope: local bookworm: open bullseye: open forky: resolved (fixed in 1.36.35+dfsg1-1) sid: resolved (fixed in 1.36.35+dfsg1-1) trixie: res

CVE-2024-43360 [CRITICAL] CVE-2024-43360: zoneminder - ZoneMinder is a free, open source closed-circuit television software application... ZoneMinder is a free, open source closed-circuit television software application. ZoneMinder is affected by a time-based SQL Injection vulnerability. This vulnerability is fixed in 1.36.34 and 1.37.61. Scope: local bookworm: open bullseye: open forky: resolved (fixed in 1.36.35+dfsg1-1) sid: resolved (fixed in 1.36.35+dfsg1-1) trixie: resolved (fixed in 1.36.

CVE-2024-51482 [CRITICAL] CVE-2024-51482: zoneminder - ZoneMinder is a free, open source closed-circuit television software application... ZoneMinder is a free, open source closed-circuit television software application. ZoneMinder v1.37.* <= 1.37.64 is vulnerable to boolean-based SQL Injection in function of web/ajax/event.php. This is fixed in 1.37.65. Scope: local bookworm: resolved bullseye: resolved forky: resolved sid: resolved trixie: resolved

CVE-2024-43359 [NONE] CVE-2024-43359: zoneminder - ZoneMinder is a free, open source closed-circuit television software application... ZoneMinder is a free, open source closed-circuit television software application. ZoneMinder has a cross-site scripting vulnerability in the montagereview via the displayinterval, speed, and scale parameters. This vulnerability is fixed in 1.36.34 and 1.37.61. Scope: local bookworm: open bullseye: open forky: resolved (fixed in 1.36.35+dfsg1-1) sid: resolved (fix

CVE-2023-26037 [HIGH] CVE-2023-26037: zoneminder - ZoneMinder is a free, open source Closed-circuit television software application... ZoneMinder is a free, open source Closed-circuit television software application for Linux which supports IP, USB and Analog cameras. Versions prior to 1.36.33 and 1.37.33 contain an SQL Injection. The minTime and maxTime request parameters are not properly validated and could be used execute arbitrary SQL. This issue is fixed in versions 1.36.33 and 1.37.33. Sco

CVE-2023-25825 [HIGH] CVE-2023-25825: zoneminder - ZoneMinder is a free, open source Closed-circuit television software application... ZoneMinder is a free, open source Closed-circuit television software application for Linux which supports IP, USB and Analog cameras. Versions prior to 1.36.33 are vulnerable to Cross-site Scripting. Log entries can be injected into the database logs, containing a malicious referrer field. This is unescaped when viewing the logs in the web ui. This issue is patch

CVE-2023-26034 [CRITICAL] CVE-2023-26034: zoneminder - ZoneMinder is a free, open source Closed-circuit television software application... ZoneMinder is a free, open source Closed-circuit television software application for Linux which supports IP, USB and Analog cameras. Versions prior to 1.36.33 and 1.37.33 are affected by a SQL Injection vulnerability. The (blind) SQL Injection vulnerability is present within the `filter[Query][terms][0][attr]` query string parameter of the `/zm/index.php` en

CVE-2023-26032 [HIGH] CVE-2023-26032: zoneminder - ZoneMinder is a free, open source Closed-circuit television software application... ZoneMinder is a free, open source Closed-circuit television software application for Linux which supports IP, USB and Analog cameras. Versions prior to 1.36.33 and 1.37.33 contain SQL Injection via malicious jason web token. The Username field of the JWT token was trusted when performing an SQL query to load the user. If an attacker could determine the HASH key u

CVE-2023-26035 [HIGH] CVE-2023-26035: zoneminder - ZoneMinder is a free, open source Closed-circuit television software application... ZoneMinder is a free, open source Closed-circuit television software application for Linux which supports IP, USB and Analog cameras. Versions prior to 1.36.33 and 1.37.33 are vulnerable to Unauthenticated Remote Code Execution via Missing Authorization. There are no permissions check on the snapshot action, which expects an id to fetch an existing monitor but ca

CVE-2023-26036 [HIGH] CVE-2023-26036: zoneminder - ZoneMinder is a free, open source Closed-circuit television software application... ZoneMinder is a free, open source Closed-circuit television software application for Linux which supports IP, USB and Analog cameras. Versions prior to 1.36.33 and 1.37.33 contain a Local File Inclusion (Untrusted Search Path) vulnerability via /web/index.php. By controlling $view, any local file ending in .php can be executed. This is supposed to be mitigated by

CVE-2023-31493 [MEDIUM] CVE-2023-31493: zoneminder - RCE (Remote Code Execution) exists in ZoneMinder through 1.36.33 as an attacker ... RCE (Remote Code Execution) exists in ZoneMinder through 1.36.33 as an attacker can create a new .php log file in language folder, while executing a crafted payload and escalate privileges allowing execution of any commands on the remote system. Scope: local bookworm: open bullseye: open forky: open sid: open trixie: open

CVE-2023-26039 [HIGH] CVE-2023-26039: zoneminder - ZoneMinder is a free, open source Closed-circuit television software application... ZoneMinder is a free, open source Closed-circuit television software application for Linux which supports IP, USB and Analog cameras. Versions prior to 1.36.33 and 1.37.33 contain an OS Command Injection via daemonControl() in (/web/api/app/Controller/HostController.php). Any authenticated user can construct an api command to execute any shell command as the web

CVE-2023-41884 [HIGH] CVE-2023-41884: zoneminder - ZoneMinder is a free, open source Closed-circuit television software application... ZoneMinder is a free, open source Closed-circuit television software application. In WWW/AJAX/watch.php, Line: 51 takes a few parameter in sql query without sanitizing it which makes it vulnerable to sql injection. This vulnerability is fixed in 1.36.34. Scope: local bookworm: open bullseye: open forky: resolved (fixed in 1.36.35+dfsg1-1) sid: resolved (fixed in

CVE-2023-26038 [MEDIUM] CVE-2023-26038: zoneminder - ZoneMinder is a free, open source Closed-circuit television software application... ZoneMinder is a free, open source Closed-circuit television software application for Linux which supports IP, USB and Analog cameras. Versions prior to 1.36.33 and 1.37.33 contain a Local File Inclusion (Untrusted Search Path) vulnerability via web/ajax/modal.php, where an arbitrary php file path can be passed in the request and loaded. This issue is patched in

CVE-2022-30769 [MEDIUM] CVE-2022-30769: zoneminder - Session fixation exists in ZoneMinder through 1.36.12 as an attacker can poison ... Session fixation exists in ZoneMinder through 1.36.12 as an attacker can poison a session cookie to the next logged-in user. Scope: local bookworm: open bullseye: open forky: open sid: open trixie: open

CVE-2022-39291 [MEDIUM] CVE-2022-39291: zoneminder - ZoneMinder is a free, open source Closed-circuit television software application... ZoneMinder is a free, open source Closed-circuit television software application. Affected versions of zoneminder are subject to a vulnerability which allows users with "View" system permissions to inject new data into the logs stored by Zoneminder. This was observed through an HTTP POST request containing log information to the "/zm/index.php" endpoint. Submis

CVE-2022-29806 [CRITICAL] CVE-2022-29806: zoneminder - ZoneMinder before 1.36.13 allows remote code execution via an invalid language. ... ZoneMinder before 1.36.13 allows remote code execution via an invalid language. Ability to create a debug log file at an arbitrary pathname contributes to exploitability. Scope: local bookworm: resolved (fixed in 1.36.13+dfsg1-1) bullseye: open forky: resolved (fixed in 1.36.13+dfsg1-1) sid: resolved (fixed in 1.36.13+dfsg1-1) trixie: resolved (fixed in 1.36.

CVE-2022-39290 [HIGH] CVE-2022-39290: zoneminder - ZoneMinder is a free, open source Closed-circuit television software application... ZoneMinder is a free, open source Closed-circuit television software application. In affected versions authenticated users can bypass CSRF keys by modifying the request supplied to the Zoneminder web application. These modifications include replacing HTTP POST with an HTTP GET and removing the CSRF key from the request. An attacker can take advantage of this by u