Vulnerabilities > Zoneminder
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2019-06-30 | CVE-2019-13072 | Cross-site Scripting vulnerability in Zoneminder 1.32.3 Stored XSS in the Filters page (Name field) in ZoneMinder 1.32.3 allows a malicious user to embed and execute JavaScript code in the browser of any user who navigates to this page. | 5.4 |
| 2019-02-18 | CVE-2019-8429 | SQL Injection vulnerability in Zoneminder ZoneMinder before 1.32.3 has SQL Injection via the ajax/status.php filter[Query][terms][0][cnj] parameter. | 9.8 |
| 2019-02-18 | CVE-2019-8428 | SQL Injection vulnerability in Zoneminder ZoneMinder before 1.32.3 has SQL Injection via the skins/classic/views/control.php groupSql parameter, as demonstrated by a newGroup[MonitorIds][] value. | 9.8 |
| 2019-02-18 | CVE-2019-8427 | OS Command Injection vulnerability in Zoneminder daemonControl in includes/functions.php in ZoneMinder before 1.32.3 allows command injection via shell metacharacters. | 9.8 |
| 2019-02-18 | CVE-2019-8426 | Cross-site Scripting vulnerability in Zoneminder skins/classic/views/controlcap.php in ZoneMinder before 1.32.3 has XSS via the newControl array, as demonstrated by the newControl[MinTiltRange] parameter. | 6.1 |
| 2019-02-18 | CVE-2019-8425 | Cross-site Scripting vulnerability in Zoneminder includes/database.php in ZoneMinder before 1.32.3 has XSS in the construction of SQL-ERR messages. | 6.1 |
| 2019-02-18 | CVE-2019-8424 | SQL Injection vulnerability in Zoneminder ZoneMinder before 1.32.3 has SQL Injection via the ajax/status.php sort parameter. | 9.8 |
| 2019-02-18 | CVE-2019-8423 | SQL Injection vulnerability in Zoneminder ZoneMinder through 1.32.3 has SQL Injection via the skins/classic/views/events.php filter[Query][terms][0][cnj] parameter. | 9.8 |
| 2019-02-04 | CVE-2019-7352 | Cross-site Scripting vulnerability in Zoneminder Self - Stored Cross Site Scripting (XSS) exists in ZoneMinder through 1.32.3, as the view 'state' (aka Run State) (state.php) does no input validation to the value supplied to the 'New State' (aka newState) field, allowing an attacker to execute HTML or JavaScript code. | 6.1 |
| 2019-02-04 | CVE-2019-7351 | Injection vulnerability in Zoneminder Log Injection exists in ZoneMinder through 1.32.3, as an attacker can entice the victim to visit a specially crafted link, which in turn will inject a custom Log message provided by the attacker in the 'log' view page, as demonstrated by the message=User%20'admin'%20Logged%20in value. | 6.5 |