SQL Injection Vulnerability in ZoneMinder by ZoneMinder Team
CVE-2016-10204

9.8CRITICAL

Key Information:

Vendor: Zoneminder
Status: Zoneminder
Vendor: CVE Published:; 3 March 2017

What is CVE-2016-10204?

An SQL injection vulnerability in ZoneMinder versions 1.30 and earlier allows remote attackers to execute arbitrary SQL commands via the 'limit' parameter in log query requests sent to index.php. This exploit can lead to unauthorized access to sensitive data and possible database manipulation, posing significant risks to affected installations and their data integrity. It is crucial for users to apply security patches and updates to mitigate this vulnerability.

References

http://www.openwall.com/lists/oss-security/2017/02/05/1

mailing-listx_refsource_MLIST

https://www.foxmole.com/advisories/foxmole-2016-07-05.txt

x_refsource_MISC

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 3, 2017
Vulnerability Reserved
Feb 4, 2017

Zoneminder

What is CVE-2016-10204?

References

CVSS V3.1

Timeline