ZoneMinder SQL Injection
CVE-2023-26034

9.6CRITICAL

Key Information:

Vendor: Zoneminder
Status: Zoneminder
Vendor: CVE Published:; 25 February 2023

What is CVE-2023-26034?

ZoneMinder, a widely used open-source CCTV software, is susceptible to a blind SQL Injection vulnerability found in the filter[Query][terms][0][attr] parameter of the /zm/index.php endpoint. Users with View or Edit permissions for Events can exploit this vulnerability to execute arbitrary SQL commands, leading to potential unauthorized access and modification of sensitive data, as well as possible authentication and authorization bypass. This flaw emphasizes the critical importance of applying security patches and updates promptly to mitigate risks.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

zoneminder < 1.36.33 < 1.36.33

zoneminder >= 1.37.0, < 1.37.33 < 1.37.0, 1.37.33

References

https://github.com/ZoneMinder/zoneminder/security/advisor...

x_refsource_CONFIRM

CVSS V3.1

Score:

9.6

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Timeline

Vulnerability published
Feb 25, 2023
Vulnerability Reserved
Feb 17, 2023

JSON

Zoneminder

What is CVE-2023-26034?

Human OS v1.0: Ageing Is an Unpatched Zero-Day Vulnerability.

Affected Version(s)

References

CVSS V3.1

Timeline

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.