CVE-2023-26039

2023-02-2502:15:13

CWE-78

[email protected]

web.nvd.nist.gov

zoneminder

cve-2023-26039

os command injection

daemoncontrol

security vulnerability

patch

nvd

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

8.8 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

46.4%

JSON

ZoneMinder is a free, open source Closed-circuit television software application for Linux which supports IP, USB and Analog cameras. Versions prior to 1.36.33 and 1.37.33 contain an OS Command Injection via daemonControl() in (/web/api/app/Controller/HostController.php). Any authenticated user can construct an api command to execute any shell command as the web user. This issue is patched in versions 1.36.33 and 1.37.33.

Affected configurations

Vulners

NVD

Node

zoneminderzoneminderRange<1.36.33

zoneminderzoneminderRange1.37.0–1.37.33

VendorProductVersionCPE
zoneminderzoneminder*cpe:2.3:a:zoneminder:zoneminder:*:*:*:*:*:*:*:*
zoneminderzoneminder*cpe:2.3:a:zoneminder:zoneminder:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
zoneminder	zoneminder	*	cpe:2.3:a:zoneminder:zoneminder::::::::
zoneminder	zoneminder	*	cpe:2.3:a:zoneminder:zoneminder::::::::

CNA Affected

[
  {
    "vendor": "ZoneMinder",
    "product": "zoneminder",
    "versions": [
      {
        "version": "< 1.36.33",
        "status": "affected"
      },
      {
        "version": ">= 1.37.0, < 1.37.33",
        "status": "affected"
      }
    ]
  }
]