CVE-2023-26034 ZoneMinder SQL Injection

2023-02-2500:58:47

CWE-89

GitHub_M

www.cve.org

zoneminder

sql injection

linux

ip cameras

usb cameras

analog cameras

version 1.36.33

version 1.37.33

vulnerability

filter query

endpoint

events

unauthorized data access

modification

authentication bypass

authorization bypass

remote code execution

9.6 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N

0.001 Low

EPSS

Percentile

47.6%

JSON

ZoneMinder is a free, open source Closed-circuit television software application for Linux which supports IP, USB and Analog cameras. Versions prior to 1.36.33 and 1.37.33 are affected by a SQL Injection vulnerability. The (blind) SQL Injection vulnerability is present within the filter[Query][terms][0][attr] query string parameter of the /zm/index.php endpoint. A user with the View or Edit permissions of Events may execute arbitrary SQL. The resulting impact can include unauthorized data access (and modification), authentication and/or authorization bypass, and remote code execution.

CNA Affected

[
  {
    "vendor": "ZoneMinder",
    "product": "zoneminder",
    "versions": [
      {
        "version": "< 1.36.33",
        "status": "affected"
      },
      {
        "version": ">= 1.37.0, < 1.37.33",
        "status": "affected"
      }
    ]
  }
]