Debian Zoneminder vulnerabilities

CVE-2019-7349 [MEDIUM] CVE-2019-7349: zoneminder - Reflected Cross Site Scripting (XSS) exists in ZoneMinder through 1.32.3, allowi... Reflected Cross Site Scripting (XSS) exists in ZoneMinder through 1.32.3, allowing an attacker to execute HTML or JavaScript code via a vulnerable 'newMonitor[V4LCapturesPerFrame]' parameter value in the view monitor (monitor.php) because proper filtration is omitted. Scope: local bookworm: resolved (fixed in 1.34.6-1) bullseye: resolved (fixed in 1.34.6-1) forky

CVE-2019-8429 [CRITICAL] CVE-2019-8429: zoneminder - ZoneMinder before 1.32.3 has SQL Injection via the ajax/status.php filter[Query]... ZoneMinder before 1.32.3 has SQL Injection via the ajax/status.php filter[Query][terms][0][cnj] parameter. Scope: local bookworm: open bullseye: open forky: open sid: open trixie: open

CVE-2019-7343 [MEDIUM] CVE-2019-7343: zoneminder - Reflected - Cross Site Scripting (XSS) exists in ZoneMinder through 1.32.3, allo... Reflected - Cross Site Scripting (XSS) exists in ZoneMinder through 1.32.3, allowing an attacker to execute HTML or JavaScript code via a vulnerable 'newMonitor[Method]' parameter value in the view monitor (monitor.php) because proper filtration is omitted. Scope: local bookworm: resolved (fixed in 1.34.6-1) bullseye: resolved (fixed in 1.34.6-1) forky: resolved

CVE-2019-8424 [CRITICAL] CVE-2019-8424: zoneminder - ZoneMinder before 1.32.3 has SQL Injection via the ajax/status.php sort paramete... ZoneMinder before 1.32.3 has SQL Injection via the ajax/status.php sort parameter. Scope: local bookworm: resolved (fixed in 1.34.6-1) bullseye: resolved (fixed in 1.34.6-1) forky: resolved (fixed in 1.34.6-1) sid: resolved (fixed in 1.34.6-1) trixie: resolved (fixed in 1.34.6-1)

CVE-2019-8427 [CRITICAL] CVE-2019-8427: zoneminder - daemonControl in includes/functions.php in ZoneMinder before 1.32.3 allows comma... daemonControl in includes/functions.php in ZoneMinder before 1.32.3 allows command injection via shell metacharacters. Scope: local bookworm: open bullseye: open forky: open sid: open trixie: open

CVE-2019-7346 [HIGH] CVE-2019-7346: zoneminder - A CSRF check issue exists in ZoneMinder through 1.32.3 as whenever a CSRF check ... A CSRF check issue exists in ZoneMinder through 1.32.3 as whenever a CSRF check fails, a callback function is called displaying a "Try again" button, which allows resending the failed request, making the CSRF attack successful. Scope: local bookworm: resolved (fixed in 1.34.6-1) bullseye: resolved (fixed in 1.34.6-1) forky: resolved (fixed in 1.34.6-1) sid: resolve

CVE-2018-1000833 [CRITICAL] CVE-2018-1000833: zoneminder - ZoneMinder version <= 1.32.2 contains a Other/Unknown vulnerability in User-cont... ZoneMinder version <= 1.32.2 contains a Other/Unknown vulnerability in User-controlled parameter that can result in Disclosure of confidential data, denial of service, SSRF, remote code execution. Scope: local bookworm: resolved (fixed in 1.32.3-2) bullseye: resolved (fixed in 1.32.3-2) forky: resolved (fixed in 1.32.3-2) sid: resolved (fixed in 1.32.3-2)

CVE-2018-1000832 [CRITICAL] CVE-2018-1000832: zoneminder - ZoneMinder version <= 1.32.2 contains a Other/Unknown vulnerability in User-cont... ZoneMinder version <= 1.32.2 contains a Other/Unknown vulnerability in User-controlled parameter that can result in Disclosure of confidential data, denial of service, SSRF, remote code execution. Scope: local bookworm: resolved (fixed in 1.32.3-2) bullseye: resolved (fixed in 1.32.3-2) forky: resolved (fixed in 1.32.3-2) sid: resolved (fixed in 1.32.3-2)

CVE-2017-5368 [HIGH] CVE-2017-5368: zoneminder - ZoneMinder v1.30 and v1.29, an open-source CCTV server web application, is vulne... ZoneMinder v1.30 and v1.29, an open-source CCTV server web application, is vulnerable to CSRF (Cross Site Request Forgery) which allows a remote attack to make changes to the web application as the current logged in victim. If the victim visits a malicious web page, the attacker can silently and automatically create a new admin user within the web application for r

CVE-2017-7203 [MEDIUM] CVE-2017-7203: zoneminder - A Cross-Site Scripting (XSS) was discovered in ZoneMinder before 1.30.2. The vul... A Cross-Site Scripting (XSS) was discovered in ZoneMinder before 1.30.2. The vulnerability exists due to insufficient filtration of user-supplied data (postLoginQuery) passed to the "ZoneMinder-master/web/skins/classic/views/js/postlogin.js.php" URL. An attacker could execute arbitrary HTML and script code in a browser in the context of the vulnerable website. Sc

CVE-2017-5595 [MEDIUM] CVE-2017-5595: zoneminder - A file disclosure and inclusion vulnerability exists in web/views/file.php in Zo... A file disclosure and inclusion vulnerability exists in web/views/file.php in ZoneMinder 1.x through v1.30.0 because of unfiltered user-input being passed to readfile(), which allows an authenticated attacker to read local system files (e.g., /etc/passwd) in the context of the web server user (www-data). The attack vector is a .. (dot dot) in the path parameter w

CVE-2017-5367 [MEDIUM] CVE-2017-5367: zoneminder - Multiple reflected XSS vulnerabilities exist within form and link input paramete... Multiple reflected XSS vulnerabilities exist within form and link input parameters of ZoneMinder v1.30 and v1.29, an open-source CCTV server web application, which allows a remote attacker to execute malicious scripts within an authenticated client's browser. The URL is /zm/index.php and sample parameters could include action=login&view=postlogin[XSS] view=consol

CVE-2016-10204 [CRITICAL] CVE-2016-10204: zoneminder - SQL injection vulnerability in Zoneminder 1.30 and earlier allows remote attacke... SQL injection vulnerability in Zoneminder 1.30 and earlier allows remote attackers to execute arbitrary SQL commands via the limit parameter in a log query request to index.php. Scope: local bookworm: resolved (fixed in 1.30.4+dfsg-1) bullseye: resolved (fixed in 1.30.4+dfsg-1) forky: resolved (fixed in 1.30.4+dfsg-1) sid: resolved (fixed in 1.30.4+dfsg-1) tr

CVE-2016-10140 [HIGH] CVE-2016-10140: zoneminder - Information disclosure and authentication bypass vulnerability exists in the Apa... Information disclosure and authentication bypass vulnerability exists in the Apache HTTP Server configuration bundled with ZoneMinder v1.30 and v1.29, which allows a remote unauthenticated attacker to browse all directories in the web root, e.g., a remote unauthenticated attacker can view all CCTV images on the server via the /events URI. Scope: local bookworm: r

CVE-2016-10206 [HIGH] CVE-2016-10206: zoneminder - Cross-site request forgery (CSRF) vulnerability in Zoneminder 1.30 and earlier a... Cross-site request forgery (CSRF) vulnerability in Zoneminder 1.30 and earlier allows remote attackers to hijack the authentication of users for requests that change passwords and possibly have unspecified other impact as demonstrated by a crafted user action request to index.php. Scope: local bookworm: resolved (fixed in 1.30.4+dfsg-1) bullseye: resolved (fixed

CVE-2016-10205 [HIGH] CVE-2016-10205: zoneminder - Session fixation vulnerability in Zoneminder 1.30 and earlier allows remote atta... Session fixation vulnerability in Zoneminder 1.30 and earlier allows remote attackers to hijack web sessions via the ZMSESSID cookie. Scope: local bookworm: resolved (fixed in 1.30.4+dfsg-1) bullseye: resolved (fixed in 1.30.4+dfsg-1) forky: resolved (fixed in 1.30.4+dfsg-1) sid: resolved (fixed in 1.30.4+dfsg-1) trixie: resolved (fixed in 1.30.4+dfsg-1)

CVE-2016-10201 [MEDIUM] CVE-2016-10201: zoneminder - Cross-site scripting (XSS) vulnerability in Zoneminder 1.30 and earlier allows r... Cross-site scripting (XSS) vulnerability in Zoneminder 1.30 and earlier allows remote attackers to inject arbitrary web script or HTML via the format parameter in a download log request to index.php. Scope: local bookworm: resolved (fixed in 1.30.4+dfsg-1) bullseye: resolved (fixed in 1.30.4+dfsg-1) forky: resolved (fixed in 1.30.4+dfsg-1) sid: resolved (fixed

CVE-2016-10203 [MEDIUM] CVE-2016-10203: zoneminder - Cross-site scripting (XSS) vulnerability in Zoneminder 1.30 and earlier allows r... Cross-site scripting (XSS) vulnerability in Zoneminder 1.30 and earlier allows remote attackers to inject arbitrary web script or HTML via the name when creating a new monitor. Scope: local bookworm: resolved (fixed in 1.30.4+dfsg-1) bullseye: resolved (fixed in 1.30.4+dfsg-1) forky: resolved (fixed in 1.30.4+dfsg-1) sid: resolved (fixed in 1.30.4+dfsg-1) trixi

CVE-2016-10202 [MEDIUM] CVE-2016-10202: zoneminder - Cross-site scripting (XSS) vulnerability in Zoneminder 1.30 and earlier allows r... Cross-site scripting (XSS) vulnerability in Zoneminder 1.30 and earlier allows remote attackers to inject arbitrary web script or HTML via the path info to index.php. Scope: local bookworm: resolved (fixed in 1.30.4+dfsg-1) bullseye: resolved (fixed in 1.30.4+dfsg-1) forky: resolved (fixed in 1.30.4+dfsg-1) sid: resolved (fixed in 1.30.4+dfsg-1) trixie: resolve

CVE-2013-0232 [HIGH] CVE-2013-0232: zoneminder - includes/functions.php in ZoneMinder Video Server 1.24.0, 1.25.0, and earlier al... includes/functions.php in ZoneMinder Video Server 1.24.0, 1.25.0, and earlier allows remote attackers to execute arbitrary commands via shell metacharacters in the (1) runState parameter in the packageControl function; or (2) key or (3) command parameter in the setDeviceStatusX10 function. Scope: local bookworm: resolved (fixed in 1.25.0-4) bullseye: resolved (fixe