PatchSiren cyber security CVE debrief

CVE-2016-10201 Zoneminder CVE debrief

CVE-2016-10201 is a cross-site scripting (XSS) vulnerability in ZoneMinder 1.30.0 and earlier. According to the NVD record, the issue can be triggered through the format parameter in a download log request to index.php. The vulnerability is rated CVSS 6.1 (MEDIUM) and requires user interaction, with low impacts to confidentiality and integrity and no impact to availability.

Vendor: Zoneminder
Product: CVE-2016-10201
CVSS: MEDIUM 6.1
CISA KEV: Not listed in stored evidence
Original CVE published: 2017-03-03
Original CVE updated: 2026-05-13
Advisory published: 2017-03-03
Advisory updated: 2026-05-13

Who should care

ZoneMinder administrators, security teams, and anyone operating exposed or internet-accessible ZoneMinder deployments should review this issue. Web application owners should also care because the flaw involves script or HTML injection in a browser context.

Technical summary

NVD maps CVE-2016-10201 to CWE-79 (cross-site scripting) and lists ZoneMinder as vulnerable through version 1.30.0. The CVSS v3 vector (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) indicates a network-reachable issue with no privileges required, but successful exploitation depends on user interaction. The vulnerable input identified in the record is the format parameter in a download log request to index.php, which can allow arbitrary web script or HTML injection.

Defensive priority

Medium. This is an exploitable web XSS issue, but the NVD vector shows user interaction is required and the availability impact is none. It should still be prioritized for patching or mitigation on any active ZoneMinder deployment, especially where users access the web UI from untrusted contexts.

Recommended defensive actions

Inventory ZoneMinder instances and confirm whether any deployment is running version 1.30.0 or earlier.
Review web-facing access to the ZoneMinder interface and limit exposure where possible.
Apply the vendor-supported fix or upgrade path referenced by your ZoneMinder maintenance guidance.
Treat the affected download log request path as untrusted input handling and verify that output encoding and parameter validation are in place.
Advise users to avoid following untrusted links or interacting with suspicious web content that could target the ZoneMinder interface.
Monitor security advisories and the NVD record for any additional remediation guidance or updates.

Evidence notes

The debrief is based on the NVD CVE record and the linked references provided in the corpus. The record explicitly states XSS in ZoneMinder 1.30 and earlier via the format parameter in a download log request to index.php, and it lists CWE-79 with the CVSS v3 vector AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N. The CVE published date is 2017-03-03, which should be used for issue timing; the 2026-05-13 modified date reflects later record updates, not original disclosure timing.

Official resources

CVE-2016-10201 CVE record
CVE.org
CVE-2016-10201 NVD detail
NVD
Source item URL
nvd_modified
Source reference
[email protected] - Exploit, Mailing List
Mitigation or vendor reference
[email protected] - Exploit, Third Party Advisory

Publicly disclosed in the CVE record on 2017-03-03. The NVD record was later modified on 2026-05-13; that later date should not be treated as the vulnerability's original disclosure date.