GitHub_MCVELIST:CVE-2023-26039CVE-2023-26039 ZoneMinder vulnerable to OS Command injection in daemonControl() API
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N
AI Score
Confidence
High
EPSS
Percentile
48.3%
ZoneMinder is a free, open source Closed-circuit television software application for Linux which supports IP, USB and Analog cameras. Versions prior to 1.36.33 and 1.37.33 contain an OS Command Injection via daemonControl() in (/web/api/app/Controller/HostController.php). Any authenticated user can construct an api command to execute any shell command as the web user. This issue is patched in versions 1.36.33 and 1.37.33.
CNA Affected
[
{
"vendor": "ZoneMinder",
"product": "zoneminder",
"versions": [
{
"version": "< 1.36.33",
"status": "affected"
},
{
"version": ">= 1.37.0, < 1.37.33",
"status": "affected"
}
]
}
]Related
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N
AI Score
Confidence
High
EPSS
Percentile
48.3%