zoneminder is vulnerable to Cross Site Scripting. The vulnerability exists due to a lack of validation of the function sortHeader() in functions.php which insecurely returns the value of the limit query string parameter without applying any filtration.