PatchSiren cyber security CVE debrief

CVE-2016-10202 Zoneminder CVE debrief

CVE-2016-10202 is a cross-site scripting (XSS) issue affecting Zoneminder 1.30 and earlier. According to the NVD record, remote attackers can inject arbitrary web script or HTML via path info to index.php. The issue is rated CVSS 6.1 (medium) with a vector indicating network access and user interaction, and it maps to CWE-79.

Vendor: Zoneminder
Product: CVE-2016-10202
CVSS: MEDIUM 6.1
CISA KEV: Not listed in stored evidence
Original CVE published: 2017-03-03
Original CVE updated: 2026-05-13
Advisory published: 2017-03-03
Advisory updated: 2026-05-13

Who should care

Administrators and security teams running Zoneminder 1.30 or earlier, especially if the application is reachable by users through a browser. Web-facing deployments and environments that trust content rendered from request paths should treat this as a client-side code injection risk.

Technical summary

The NVD entry describes an XSS condition in Zoneminder’s handling of path info routed to index.php. The vulnerable versions are listed as 1.30.0 and earlier. NVD assigns CVSS v3.0 AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N and CWE-79. The source references include an oss-security mailing list post and a third-party advisory, but no patch details or exploit mechanics are included in the supplied corpus.

Defensive priority

Medium. The issue is network-reachable and does not require privileges, but it does require user interaction and is primarily a web content injection problem rather than a direct system compromise.

Recommended defensive actions

Confirm whether any Zoneminder instance is at version 1.30.0 or earlier.
Inventory internet-facing and internally reachable Zoneminder deployments that serve browser users.
Review request handling around index.php path info and any downstream HTML rendering for unsafe output encoding.
Apply vendor or distribution updates if available for your deployment; the supplied corpus does not include a fixed version.
Use browser-safe output encoding and input validation controls as compensating defenses where code changes are possible.
Monitor for abnormal redirects, injected markup, or unexpected script execution in Zoneminder pages.

Evidence notes

This debrief is based on the supplied NVD record and linked references. The record states: published 2017-03-03 and modified 2026-05-13; vulnerable versions are Zoneminder 1.30.0 and earlier; weakness is CWE-79; CVSS v3.0 vector is AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N. The reference list includes an oss-security mailing list post and a FoxMole advisory, both labeled as exploit-related references in the source metadata. No exploit steps, payloads, or remediation details beyond the record contents are included here.

Official resources

CVE-2016-10202 CVE record
CVE.org
CVE-2016-10202 NVD detail
NVD
Source item URL
nvd_modified
Source reference
[email protected] - Exploit, Mailing List
Mitigation or vendor reference
[email protected] - Exploit, Third Party Advisory

CVE published 2017-03-03; NVD modified 2026-05-13. No KEV entry or due date is provided in the supplied corpus.