CVE-2023-26037 ZoneMinder contains SQL Injection via report_event_audit

2023-02-2501:18:41

CWE-89

GitHub_M

www.cve.org

zoneminder

sql injection

linux

cctv

ip cameras

usb cameras

analog cameras

validation

arbitrary sql

CVSS3

8.9

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

LOW

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:L

AI Score

9.7

Confidence

High

EPSS

0.001

Percentile

50.6%

JSON

ZoneMinder is a free, open source Closed-circuit television software application for Linux which supports IP, USB and Analog cameras. Versions prior to 1.36.33 and 1.37.33 contain an SQL Injection. The minTime and maxTime request parameters are not properly validated and could be used execute arbitrary SQL. This issue is fixed in versions 1.36.33 and 1.37.33.

CNA Affected

[
  {
    "vendor": "ZoneMinder",
    "product": "zoneminder",
    "versions": [
      {
        "version": "< 1.36.33",
        "status": "affected"
      },
      {
        "version": ">= 1.37.0, < 1.37.33",
        "status": "affected"
      }
    ]
  }
]