CVE-2023-26034

2023-02-2501:15:56

Google

osv.dev

zoneminder

cctv

linux

sql injection

vulnerability

remote code execution

9.6 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N

9.3 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

47.6%

JSON

ZoneMinder is a free, open source Closed-circuit television software application for Linux which supports IP, USB and Analog cameras. Versions prior to 1.36.33 and 1.37.33 are affected by a SQL Injection vulnerability. The (blind) SQL Injection vulnerability is present within the filter[Query][terms][0][attr] query string parameter of the /zm/index.php endpoint. A user with the View or Edit permissions of Events may execute arbitrary SQL. The resulting impact can include unauthorized data access (and modification), authentication and/or authorization bypass, and remote code execution.

CPENameOperatorVersion
zonemindereq1.26-beta.2
zonemindereqlist
zonemindereq1.36.26
zonemindereq1.36.28
zonemindereq1.30.0-rc2
zonemindereq1.36.24+dfsg1-1
zonemindereq1.36.9
zonemindereq1.36.19+dfsg1-1
zonemindereq1.34.2
zonemindereq1.36.7

Name	Operator	Version
zoneminder	eq	1.26-beta.2
zoneminder	eq	list
zoneminder	eq	1.36.26
zoneminder	eq	1.36.28
zoneminder	eq	1.30.0-rc2
zoneminder	eq	1.36.24+dfsg1-1
zoneminder	eq	1.36.9
zoneminder	eq	1.36.19+dfsg1-1
zoneminder	eq	1.34.2
zoneminder	eq	1.36.7