From DHS/US-CERT's National Vulnerability Database
ZoneMinder through 1.32.3 has SQL Injection via the skins/classic/views/events.php filter[Query][terms][cnj] parameter.
ZoneMinder before 1.32.3 has SQL Injection via the ajax/status.php sort parameter.
includes/database.php in ZoneMinder before 1.32.3 has XSS in the construction of SQL-ERR messages.
skins/classic/views/controlcap.php in ZoneMinder before 1.32.3 has XSS via the newControl array, as demonstrated by the newControl[MinTiltRange] parameter.
daemonControl in includes/functions.php in ZoneMinder before 1.32.3 allows command injection via shell metacharacters.