VulnerableCode Package Details - pkg:deb/debian/zoneminder@1.30.4%2Bdfsg-1?distro=trixie

Search for packages

Vulnerability	Summary	Fixed by
This package is not known to be affected by vulnerabilities.

Vulnerability

Summary

Fixed by

This package is not known to be affected by vulnerabilities.

Vulnerability	Summary	Aliases
VCID-694p-mbsg-e7f6	Multiple reflected XSS vulnerabilities exist within form and link input parameters of ZoneMinder v1.30 and v1.29, an open-source CCTV server web application, which allows a remote attacker to execute malicious scripts within an authenticated client's browser. The URL is /zm/index.php and sample parameters could include action=login&view=postlogin[XSS] view=console[XSS] view=groups[XSS] view=events&filter[terms][1][cnj]=and[XSS] view=events&filter%5Bterms%5D%5B1%5D%5Bcnj%5D=and[XSS] view=events&filter%5Bterms%5D%5B1%5D%5Bcnj%5D=[XSS]and view=events&limit=1%22%3E%3C/a%3E[XSS] (among others).	CVE-2017-5367
VCID-aqfu-4m9a-hbd4	A Cross-Site Scripting (XSS) was discovered in ZoneMinder before 1.30.2. The vulnerability exists due to insufficient filtration of user-supplied data (postLoginQuery) passed to the "ZoneMinder-master/web/skins/classic/views/js/postlogin.js.php" URL. An attacker could execute arbitrary HTML and script code in a browser in the context of the vulnerable website.	CVE-2017-7203
VCID-dp5c-4aaa-uyaq	A file disclosure and inclusion vulnerability exists in web/views/file.php in ZoneMinder 1.x through v1.30.0 because of unfiltered user-input being passed to readfile(), which allows an authenticated attacker to read local system files (e.g., /etc/passwd) in the context of the web server user (www-data). The attack vector is a .. (dot dot) in the path parameter within a zm/index.php?view=file&path= request.	CVE-2017-5595
VCID-f9wt-f98j-ekeh	Cross-site scripting (XSS) vulnerability in Zoneminder 1.30 and earlier allows remote attackers to inject arbitrary web script or HTML via the path info to index.php.	CVE-2016-10202
VCID-mx9e-1cur-mqfz	Information disclosure and authentication bypass vulnerability exists in the Apache HTTP Server configuration bundled with ZoneMinder v1.30 and v1.29, which allows a remote unauthenticated attacker to browse all directories in the web root, e.g., a remote unauthenticated attacker can view all CCTV images on the server via the /events URI.	CVE-2016-10140
VCID-r4zz-6j52-cue5	Cross-site scripting (XSS) vulnerability in Zoneminder 1.30 and earlier allows remote attackers to inject arbitrary web script or HTML via the name when creating a new monitor.	CVE-2016-10203
VCID-rdyb-mgsn-gyb5	ZoneMinder v1.30 and v1.29, an open-source CCTV server web application, is vulnerable to CSRF (Cross Site Request Forgery) which allows a remote attack to make changes to the web application as the current logged in victim. If the victim visits a malicious web page, the attacker can silently and automatically create a new admin user within the web application for remote persistence and further attacks. The URL is /zm/index.php and sample parameters could include action=user uid=0 newUser[Username]=attacker1 newUser[Password]=Password1234 conf_password=Password1234 newUser[System]=Edit (among others).	CVE-2017-5368
VCID-sdf7-gmgd-pkf8	Session fixation vulnerability in Zoneminder 1.30 and earlier allows remote attackers to hijack web sessions via the ZMSESSID cookie.	CVE-2016-10205
VCID-w96c-3tde-d7b1	SQL injection vulnerability in Zoneminder 1.30 and earlier allows remote attackers to execute arbitrary SQL commands via the limit parameter in a log query request to index.php.	CVE-2016-10204
VCID-ys4w-ngmr-mbh9	Cross-site scripting (XSS) vulnerability in Zoneminder 1.30 and earlier allows remote attackers to inject arbitrary web script or HTML via the format parameter in a download log request to index.php.	CVE-2016-10201
VCID-zu3w-apm5-8bdw	Cross-site request forgery (CSRF) vulnerability in Zoneminder 1.30 and earlier allows remote attackers to hijack the authentication of users for requests that change passwords and possibly have unspecified other impact as demonstrated by a crafted user action request to index.php.	CVE-2016-10206

Vulnerability

Summary

Aliases

VCID-694p-mbsg-e7f6

Multiple reflected XSS vulnerabilities exist within form and link input parameters of ZoneMinder v1.30 and v1.29, an open-source CCTV server web application, which allows a remote attacker to execute malicious scripts within an authenticated client's browser. The URL is /zm/index.php and sample parameters could include action=login&view=postlogin[XSS] view=console[XSS] view=groups[XSS] view=events&filter[terms][1][cnj]=and[XSS] view=events&filter%5Bterms%5D%5B1%5D%5Bcnj%5D=and[XSS] view=events&filter%5Bterms%5D%5B1%5D%5Bcnj%5D=[XSS]and view=events&limit=1%22%3E%3C/a%3E[XSS] (among others).

CVE-2017-5367

VCID-aqfu-4m9a-hbd4

A Cross-Site Scripting (XSS) was discovered in ZoneMinder before 1.30.2. The vulnerability exists due to insufficient filtration of user-supplied data (postLoginQuery) passed to the "ZoneMinder-master/web/skins/classic/views/js/postlogin.js.php" URL. An attacker could execute arbitrary HTML and script code in a browser in the context of the vulnerable website.

CVE-2017-7203

VCID-dp5c-4aaa-uyaq

A file disclosure and inclusion vulnerability exists in web/views/file.php in ZoneMinder 1.x through v1.30.0 because of unfiltered user-input being passed to readfile(), which allows an authenticated attacker to read local system files (e.g., /etc/passwd) in the context of the web server user (www-data). The attack vector is a .. (dot dot) in the path parameter within a zm/index.php?view=file&path= request.

CVE-2017-5595

VCID-f9wt-f98j-ekeh

Cross-site scripting (XSS) vulnerability in Zoneminder 1.30 and earlier allows remote attackers to inject arbitrary web script or HTML via the path info to index.php.

CVE-2016-10202

VCID-mx9e-1cur-mqfz

Information disclosure and authentication bypass vulnerability exists in the Apache HTTP Server configuration bundled with ZoneMinder v1.30 and v1.29, which allows a remote unauthenticated attacker to browse all directories in the web root, e.g., a remote unauthenticated attacker can view all CCTV images on the server via the /events URI.

CVE-2016-10140

VCID-r4zz-6j52-cue5

Cross-site scripting (XSS) vulnerability in Zoneminder 1.30 and earlier allows remote attackers to inject arbitrary web script or HTML via the name when creating a new monitor.

CVE-2016-10203

VCID-rdyb-mgsn-gyb5

ZoneMinder v1.30 and v1.29, an open-source CCTV server web application, is vulnerable to CSRF (Cross Site Request Forgery) which allows a remote attack to make changes to the web application as the current logged in victim. If the victim visits a malicious web page, the attacker can silently and automatically create a new admin user within the web application for remote persistence and further attacks. The URL is /zm/index.php and sample parameters could include action=user uid=0 newUser[Username]=attacker1 newUser[Password]=Password1234 conf_password=Password1234 newUser[System]=Edit (among others).

CVE-2017-5368

VCID-sdf7-gmgd-pkf8

Session fixation vulnerability in Zoneminder 1.30 and earlier allows remote attackers to hijack web sessions via the ZMSESSID cookie.

CVE-2016-10205

VCID-w96c-3tde-d7b1

SQL injection vulnerability in Zoneminder 1.30 and earlier allows remote attackers to execute arbitrary SQL commands via the limit parameter in a log query request to index.php.

CVE-2016-10204

VCID-ys4w-ngmr-mbh9

Cross-site scripting (XSS) vulnerability in Zoneminder 1.30 and earlier allows remote attackers to inject arbitrary web script or HTML via the format parameter in a download log request to index.php.

CVE-2016-10201

VCID-zu3w-apm5-8bdw

Cross-site request forgery (CSRF) vulnerability in Zoneminder 1.30 and earlier allows remote attackers to hijack the authentication of users for requests that change passwords and possibly have unspecified other impact as demonstrated by a crafted user action request to index.php.

CVE-2016-10206

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-04-16T13:01:52.547472+00:00	Debian Importer	Fixing	VCID-mx9e-1cur-mqfz	https://security-tracker.debian.org/tracker/data/json	38.4.0
2026-04-16T12:44:57.472168+00:00	Debian Importer	Fixing	VCID-aqfu-4m9a-hbd4	https://security-tracker.debian.org/tracker/data/json	38.4.0
2026-04-16T12:12:19.302399+00:00	Debian Importer	Fixing	VCID-zu3w-apm5-8bdw	https://security-tracker.debian.org/tracker/data/json	38.4.0
2026-04-16T12:00:38.310104+00:00	Debian Importer	Fixing	VCID-ys4w-ngmr-mbh9	https://security-tracker.debian.org/tracker/data/json	38.4.0
2026-04-16T11:40:32.220391+00:00	Debian Importer	Fixing	VCID-r4zz-6j52-cue5	https://security-tracker.debian.org/tracker/data/json	38.4.0
2026-04-16T10:58:50.077284+00:00	Debian Importer	Fixing	VCID-sdf7-gmgd-pkf8	https://security-tracker.debian.org/tracker/data/json	38.4.0
2026-04-16T10:23:01.759236+00:00	Debian Importer	Fixing	VCID-w96c-3tde-d7b1	https://security-tracker.debian.org/tracker/data/json	38.4.0
2026-04-16T09:51:01.015074+00:00	Debian Importer	Fixing	VCID-694p-mbsg-e7f6	https://security-tracker.debian.org/tracker/data/json	38.4.0
2026-04-16T09:48:30.406236+00:00	Debian Importer	Fixing	VCID-dp5c-4aaa-uyaq	https://security-tracker.debian.org/tracker/data/json	38.4.0
2026-04-16T09:17:49.175890+00:00	Debian Importer	Fixing	VCID-f9wt-f98j-ekeh	https://security-tracker.debian.org/tracker/data/json	38.4.0
2026-04-16T08:58:44.728496+00:00	Debian Importer	Fixing	VCID-rdyb-mgsn-gyb5	https://security-tracker.debian.org/tracker/data/json	38.4.0
2026-04-13T08:57:24.220168+00:00	Debian Importer	Fixing	VCID-mx9e-1cur-mqfz	https://security-tracker.debian.org/tracker/data/json	38.3.0
2026-04-13T08:44:33.679453+00:00	Debian Importer	Fixing	VCID-aqfu-4m9a-hbd4	https://security-tracker.debian.org/tracker/data/json	38.3.0
2026-04-13T08:20:54.678207+00:00	Debian Importer	Fixing	VCID-zu3w-apm5-8bdw	https://security-tracker.debian.org/tracker/data/json	38.3.0
2026-04-13T08:12:09.417811+00:00	Debian Importer	Fixing	VCID-ys4w-ngmr-mbh9	https://security-tracker.debian.org/tracker/data/json	38.3.0
2026-04-13T07:57:15.978543+00:00	Debian Importer	Fixing	VCID-r4zz-6j52-cue5	https://security-tracker.debian.org/tracker/data/json	38.3.0
2026-04-13T07:26:59.490025+00:00	Debian Importer	Fixing	VCID-sdf7-gmgd-pkf8	https://security-tracker.debian.org/tracker/data/json	38.3.0
2026-04-13T06:59:47.430749+00:00	Debian Importer	Fixing	VCID-w96c-3tde-d7b1	https://security-tracker.debian.org/tracker/data/json	38.3.0
2026-04-13T06:35:07.712175+00:00	Debian Importer	Fixing	VCID-694p-mbsg-e7f6	https://security-tracker.debian.org/tracker/data/json	38.3.0
2026-04-13T06:33:12.063090+00:00	Debian Importer	Fixing	VCID-dp5c-4aaa-uyaq	https://security-tracker.debian.org/tracker/data/json	38.3.0
2026-04-11T18:12:44.447723+00:00	Debian Importer	Fixing	VCID-f9wt-f98j-ekeh	https://security-tracker.debian.org/tracker/data/json	38.3.0
2026-04-11T18:01:20.704031+00:00	Debian Importer	Fixing	VCID-rdyb-mgsn-gyb5	https://security-tracker.debian.org/tracker/data/json	38.3.0
2026-04-03T07:59:17.366359+00:00	Debian Importer	Fixing	VCID-aqfu-4m9a-hbd4	https://security-tracker.debian.org/tracker/data/json	38.1.0
2026-04-03T07:59:17.318936+00:00	Debian Importer	Fixing	VCID-dp5c-4aaa-uyaq	https://security-tracker.debian.org/tracker/data/json	38.1.0
2026-04-03T07:59:17.271781+00:00	Debian Importer	Fixing	VCID-rdyb-mgsn-gyb5	https://security-tracker.debian.org/tracker/data/json	38.1.0
2026-04-03T07:59:17.224754+00:00	Debian Importer	Fixing	VCID-694p-mbsg-e7f6	https://security-tracker.debian.org/tracker/data/json	38.1.0
2026-04-03T07:59:17.176801+00:00	Debian Importer	Fixing	VCID-zu3w-apm5-8bdw	https://security-tracker.debian.org/tracker/data/json	38.1.0
2026-04-03T07:59:17.129716+00:00	Debian Importer	Fixing	VCID-sdf7-gmgd-pkf8	https://security-tracker.debian.org/tracker/data/json	38.1.0
2026-04-03T07:59:17.082678+00:00	Debian Importer	Fixing	VCID-w96c-3tde-d7b1	https://security-tracker.debian.org/tracker/data/json	38.1.0
2026-04-03T07:59:17.035713+00:00	Debian Importer	Fixing	VCID-r4zz-6j52-cue5	https://security-tracker.debian.org/tracker/data/json	38.1.0
2026-04-03T07:59:16.988878+00:00	Debian Importer	Fixing	VCID-f9wt-f98j-ekeh	https://security-tracker.debian.org/tracker/data/json	38.1.0
2026-04-03T07:59:16.941832+00:00	Debian Importer	Fixing	VCID-ys4w-ngmr-mbh9	https://security-tracker.debian.org/tracker/data/json	38.1.0
2026-04-03T07:59:16.893730+00:00	Debian Importer	Fixing	VCID-mx9e-1cur-mqfz	https://security-tracker.debian.org/tracker/data/json	38.1.0