ZoneMinder contains Local File Inclusion vulnerability via `web/ajax/modal.php`
CVE-2023-26038

5.4MEDIUM

Key Information:

Vendor: Zoneminder
Status: Zoneminder
Vendor: CVE Published:; 25 February 2023

What is CVE-2023-26038?

ZoneMinder is a free, open source Closed-circuit television software application for Linux which supports IP, USB and Analog cameras. Versions prior to 1.36.33 and 1.37.33 contain a Local File Inclusion (Untrusted Search Path) vulnerability via web/ajax/modal.php, where an arbitrary php file path can be passed in the request and loaded. This issue is patched in versions 1.36.33 and 1.37.33.

Affected Version(s)

zoneminder < 1.36.33 < 1.36.33

zoneminder >= 1.37.0, < 1.37.33 < 1.37.0, 1.37.33

References

https://github.com/ZoneMinder/zoneminder/security/advisor...

x_refsource_CONFIRM

CVSS V3.1

Score:

5.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Feb 25, 2023
Vulnerability Reserved
Feb 17, 2023

Zoneminder

What is CVE-2023-26038?

Affected Version(s)

References

CVSS V3.1

Timeline