These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.
CVE-2016-10206 is a cross-site request forgery (CSRF) vulnerability in ZoneMinder 1.30.0 and earlier. According to the CVE record, a remote attacker could hijack an authenticated user’s session to submit requests that change passwords, with possible additional unspecified impact through a crafted user action request to index.php.
CVE-2016-10205 is a high-severity session fixation issue in Zoneminder 1.30.0 and earlier. NVD states that remote attackers could hijack web sessions via the ZMSESSID cookie. The record maps this issue to CWE-384 and assigns a CVSS 3.0 score of 7.3, reflecting a network-reachable attack with no privileges or user interaction required.
CVE-2016-10204 is a critical SQL injection issue in Zoneminder 1.30.0 and earlier. NVD states that a remote attacker can execute arbitrary SQL commands through the limit parameter in a log query request to index.php. The CVE was published on 2017-03-03 and the NVD record was later modified on 2026-05-13.
CVE-2016-10203 is a cross-site scripting vulnerability in ZoneMinder 1.30.0 and earlier. A remote attacker can inject arbitrary web script or HTML through the monitor name field when a new monitor is created, which can lead to script execution in a user’s browser under the ZoneMinder origin. NVD rates the issue as medium severity and maps it to CWE-79.
CVE-2016-10202 is a cross-site scripting (XSS) issue affecting Zoneminder 1.30 and earlier. According to the NVD record, remote attackers can inject arbitrary web script or HTML via path info to index.php. The issue is rated CVSS 6.1 (medium) with a vector indicating network access and user interaction, and it maps to CWE-79.
CVE-2016-10201 is a cross-site scripting (XSS) vulnerability in ZoneMinder 1.30.0 and earlier. According to the NVD record, the issue can be triggered through the format parameter in a download log request to index.php. The vulnerability is rated CVSS 6.1 (MEDIUM) and requires user interaction, with low impacts to confidentiality and integrity and no impact to availability.
CVE-2017-5595 is an authenticated local file disclosure issue in ZoneMinder 1.x through v1.30.0. NVD describes it as unfiltered user input being passed to readfile() in web/views/file.php, enabling a low-privileged authenticated attacker to read files from the server’s filesystem via path traversal in the path parameter. The published CVSS v3.0 vector is AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N, reflecting a c [truncated]
CVE-2017-5368 is a CSRF issue in ZoneMinder v1.29 and v1.30 that can let an attacker induce a logged-in victim’s browser to submit unauthorized state-changing requests. According to the CVE record, this can be used to make changes to the web application as the victim and, in the described scenario, create a new admin user for persistence and follow-on access. The issue is rated high severity because it co [truncated]
CVE-2017-5367 is a reflected cross-site scripting issue affecting ZoneMinder v1.29 and v1.30. According to the CVE/NVD record, multiple form and link input parameters in /zm/index.php can be abused to inject script that runs in an authenticated client’s browser. The issue was publicly disclosed on 2017-02-06 and was assigned a medium-severity CVSS 3.0 score of 6.1.
CVE-2016-10140 is an information disclosure and authentication bypass issue tied to the Apache HTTP Server configuration bundled with ZoneMinder. NVD and the CVE references describe a remote unauthenticated attacker being able to browse directories in the web root, potentially exposing CCTV images through the /events URI.