{"id":"CVE-2016-10140","details":"Information disclosure and authentication bypass vulnerability exists in the Apache HTTP Server configuration bundled with ZoneMinder v1.30 and v1.29, which allows a remote unauthenticated attacker to browse all directories in the web root, e.g., a remote unauthenticated attacker can view all CCTV images on the server via the /events URI.","modified":"2026-02-21T00:55:13.117495Z","published":"2017-01-13T09:59:00.343Z","related":["MGASA-2017-0162"],"references":[{"type":"WEB","url":"http://seclists.org/bugtraq/2017/Feb/6"},{"type":"WEB","url":"http://seclists.org/fulldisclosure/2017/Feb/11"},{"type":"WEB","url":"http://www.securityfocus.com/bid/96849"},{"type":"REPORT","url":"https://github.com/ZoneMinder/ZoneMinder/pull/1697"},{"type":"FIX","url":"https://github.com/ZoneMinder/ZoneMinder/commit/71898df7565ed2a51dfe76a1cf30ddb81fc888ba"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/zoneminder/zoneminder","events":[{"introduced":"0"},{"fixed":"71898df7565ed2a51dfe76a1cf30ddb81fc888ba"}]}],"versions":["v1.25","v1.26-beta.1","v1.26-beta.2","v1.26-beta.3","v1.26.0","v1.26.1","v1.26.2","v1.26.3","v1.26.4","v1.26.5","v1.27.0","v1.28.0","v1.29.0","v1.29.0-rc1","v1.29.0-rc2","v1.30.0","v1.30.0-rc1","v1.30.0-rc2"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2016-10140.json"}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"}]}