CVE-2023-26034

2023-02-2501:15:56

Debian Security Bug Tracker

security-tracker.debian.org

zoneminder

cctv

sql injection

linux

ip cameras

usb cameras

analog cameras

vulnerability

authorization

remote code execution

9.6 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N

9.2 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

47.6%

JSON

ZoneMinder is a free, open source Closed-circuit television software application for Linux which supports IP, USB and Analog cameras. Versions prior to 1.36.33 and 1.37.33 are affected by a SQL Injection vulnerability. The (blind) SQL Injection vulnerability is present within the filter[Query][terms][0][attr] query string parameter of the /zm/index.php endpoint. A user with the View or Edit permissions of Events may execute arbitrary SQL. The resulting impact can include unauthorized data access (and modification), authentication and/or authorization bypass, and remote code execution.

OSVersionArchitecturePackageVersionFilename
Debian12allzoneminder< 1.36.33+dfsg1-1zoneminder_1.36.33+dfsg1-1_all.deb
Debian11allzoneminder<= 1.34.23-1zoneminder_1.34.23-1_all.deb
Debian999allzoneminder< 1.36.33+dfsg1-1zoneminder_1.36.33+dfsg1-1_all.deb

OS	Version	Architecture	Package	Version	Filename
Debian	12	all	zoneminder	< 1.36.33+dfsg1-1	zoneminder_1.36.33+dfsg1-1_all.deb
Debian	11	all	zoneminder	<= 1.34.23-1	zoneminder_1.34.23-1_all.deb
Debian	999	all	zoneminder	< 1.36.33+dfsg1-1	zoneminder_1.36.33+dfsg1-1_all.deb