PatchSiren cyber security CVE debrief

CVE-2016-10203 Zoneminder CVE debrief

CVE-2016-10203 is a cross-site scripting vulnerability in ZoneMinder 1.30.0 and earlier. A remote attacker can inject arbitrary web script or HTML through the monitor name field when a new monitor is created, which can lead to script execution in a user’s browser under the ZoneMinder origin. NVD rates the issue as medium severity and maps it to CWE-79.

Vendor: Zoneminder
Product: CVE-2016-10203
CVSS: MEDIUM 6.1
CISA KEV: Not listed in stored evidence
Original CVE published: 2017-03-03
Original CVE updated: 2026-05-13
Advisory published: 2017-03-03
Advisory updated: 2026-05-13

Who should care

ZoneMinder administrators, security teams responsible for the web interface, and anyone allowing trusted or untrusted users to create or manage monitors should prioritize this issue. It matters most in deployments where browser sessions have elevated access or where multiple users share the application.

Technical summary

NVD describes the flaw as cross-site scripting in ZoneMinder affecting version 1.30.0 and earlier. The vulnerable path is the monitor creation workflow, specifically the name field, where attacker-supplied HTML or script can be injected. The CVSS v3.0 vector is AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N, indicating network reachability, no privileges required, but user interaction is needed.

Defensive priority

Medium. The issue is exploitable remotely and can affect browser sessions, but it requires user interaction and is not rated as availability-impacting in the supplied CVSS vector.

Recommended defensive actions

Upgrade ZoneMinder to a version newer than 1.30.0.
Review and harden server-side output encoding and input validation for monitor names and other web UI fields.
Limit administrative access to the ZoneMinder interface and reduce exposure of the application to untrusted users.
Use browser/session protections where possible, and verify that any reverse proxy or web application firewall rules do not break legitimate encoding.
After upgrading, test the monitor creation workflow to confirm that user-supplied names are rendered safely.

Evidence notes

The supplied NVD record states that the vulnerability affects ZoneMinder 1.30.0 and earlier and is triggered via the monitor name when creating a new monitor. NVD assigns CWE-79 and the CVSS v3.0 vector AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N. The record references an oss-security mailing list post dated 2017-02-05, a SecurityFocus BID entry, and a third-party advisory URL in the source corpus. No exploit steps or vendor fix details beyond the affected version range are included here.

Official resources

CVE-2016-10203 CVE record
CVE.org
CVE-2016-10203 NVD detail
NVD
Source item URL
nvd_modified
Source reference
[email protected] - Exploit, Mailing List
Source reference
[email protected]
Mitigation or vendor reference
[email protected] - Exploit, Third Party Advisory

The CVE was published by the supplied record on 2017-03-03. The source corpus also cites an oss-security mailing list reference dated 2017-02-05, which provides disclosure context, but the CVE publication date should be used for the primary