Zoneminder
Monthly
SQL injection in ZoneMinder's status.php getNearEvents() function allows authenticated users with event management permissions to execute arbitrary database queries through improperly sanitized Event Name and Cause fields in versions 1.36.37 and below or 1.37.61 through 1.38.0. Public exploit code exists for this vulnerability, and no patch is currently available. An attacker could extract sensitive data, modify database contents, or potentially achieve code execution depending on database permissions and configuration.
Command injection in ZoneMinder v1.36.34 video surveillance system via web/views/image.php. Unsanitized user input enables unauthenticated remote code execution. PoC available.
SQL injection in ZoneMinder's status.php getNearEvents() function allows authenticated users with event management permissions to execute arbitrary database queries through improperly sanitized Event Name and Cause fields in versions 1.36.37 and below or 1.37.61 through 1.38.0. Public exploit code exists for this vulnerability, and no patch is currently available. An attacker could extract sensitive data, modify database contents, or potentially achieve code execution depending on database permissions and configuration.
Command injection in ZoneMinder v1.36.34 video surveillance system via web/views/image.php. Unsanitized user input enables unauthenticated remote code execution. PoC available.