ZoneMinder SQL Injection
CVE-2023-26034

9.6CRITICAL

Key Information:

Vendor: Zoneminder
Status: Zoneminder
Vendor: CVE Published:; 25 February 2023

What is CVE-2023-26034?

ZoneMinder, a widely used open-source CCTV software, is susceptible to a blind SQL Injection vulnerability found in the filter[Query][terms][0][attr] parameter of the /zm/index.php endpoint. Users with View or Edit permissions for Events can exploit this vulnerability to execute arbitrary SQL commands, leading to potential unauthorized access and modification of sensitive data, as well as possible authentication and authorization bypass. This flaw emphasizes the critical importance of applying security patches and updates promptly to mitigate risks.

Affected Version(s)

zoneminder < 1.36.33 < 1.36.33

zoneminder >= 1.37.0, < 1.37.33 < 1.37.0, 1.37.33

References

https://github.com/ZoneMinder/zoneminder/security/advisor...

x_refsource_CONFIRM

CVSS V3.1

Score:

9.6

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Feb 25, 2023
Vulnerability Reserved
Feb 17, 2023

Zoneminder

What is CVE-2023-26034?

Affected Version(s)

References

CVSS V3.1

Timeline