ZoneMinder contains SQL injection via malicious Jason Web Token
CVE-2023-26032

8.9HIGH

Key Information:

Vendor: Zoneminder
Status: Zoneminder
Vendor: CVE Published:; 25 February 2023

What is CVE-2023-26032?

ZoneMinder, an open-source CCTV software application, is susceptible to an SQL Injection vulnerability due to improper handling of JWT tokens in versions prior to 1.36.33 and 1.37.33. The vulnerability arises from the trust placed on the Username field within the JWT token when executing SQL queries to load user data. An attacker who can ascertain the HASH key utilized by ZoneMinder may forge a malicious JWT token, leading to the execution of arbitrary SQL commands. This vulnerability emphasizes the need for secure coding practices and ensures that all users upgrade to the patched versions to mitigate potential risks.

Affected Version(s)

zoneminder < 1.36.33 < 1.36.33

zoneminder >= 1.37.0, < 1.37.33 < 1.37.0, 1.37.33

References

https://github.com/ZoneMinder/zoneminder/security/advisor...

x_refsource_CONFIRM

CVSS V3.1

Score:

8.9

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Changed

Timeline

Vulnerability published
Feb 25, 2023
Vulnerability Reserved
Feb 17, 2023

Zoneminder

What is CVE-2023-26032?

Affected Version(s)

References

CVSS V3.1

Timeline