CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N
AI Score
Confidence
High
EPSS
Percentile
44.5%
ZoneMinder is a free, open source Closed-circuit television software application for Linux which supports IP, USB and Analog cameras. Versions prior to 1.36.33 and 1.37.33 are affected by a SQL Injection vulnerability. The (blind) SQL Injection vulnerability is present within the filter[Query][terms][0][attr]
query string parameter of the /zm/index.php
endpoint. A user with the View or Edit permissions of Events may execute arbitrary SQL. The resulting impact can include unauthorized data access (and modification), authentication and/or authorization bypass, and remote code execution.
Vendor | Product | Version | CPE |
---|---|---|---|
zoneminder | zoneminder | * | cpe:2.3:a:zoneminder:zoneminder:*:*:*:*:*:*:*:* |
[
{
"vendor": "ZoneMinder",
"product": "zoneminder",
"versions": [
{
"version": "< 1.36.33",
"status": "affected"
},
{
"version": ">= 1.37.0, < 1.37.33",
"status": "affected"
}
]
}
]