CVE-2023-26034

2023-02-2501:15:56

CWE-89

[email protected]

web.nvd.nist.gov

zoneminder

cctv

sql injection

linux

security vulnerability

nvd

9.6 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N

9.2 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

47.5%

JSON

ZoneMinder is a free, open source Closed-circuit television software application for Linux which supports IP, USB and Analog cameras. Versions prior to 1.36.33 and 1.37.33 are affected by a SQL Injection vulnerability. The (blind) SQL Injection vulnerability is present within the filter[Query][terms][0][attr] query string parameter of the /zm/index.php endpoint. A user with the View or Edit permissions of Events may execute arbitrary SQL. The resulting impact can include unauthorized data access (and modification), authentication and/or authorization bypass, and remote code execution.

Affected configurations

Vulners

NVD

Node

zoneminderzoneminderRange<1.36.33

zoneminderzoneminderRange1.37.0–1.37.33

VendorProductVersionCPE
zoneminderzoneminder*cpe:2.3:a:zoneminder:zoneminder:*:*:*:*:*:*:*:*
zoneminderzoneminder*cpe:2.3:a:zoneminder:zoneminder:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
zoneminder	zoneminder	*	cpe:2.3:a:zoneminder:zoneminder::::::::
zoneminder	zoneminder	*	cpe:2.3:a:zoneminder:zoneminder::::::::

CNA Affected

[
  {
    "vendor": "ZoneMinder",
    "product": "zoneminder",
    "versions": [
      {
        "version": "< 1.36.33",
        "status": "affected"
      },
      {
        "version": ">= 1.37.0, < 1.37.33",
        "status": "affected"
      }
    ]
  }
]