ZoneMinder vulnerable to OS Command injection in daemonControl() API
CVE-2023-26039

7.1HIGH

Key Information:

Vendor: Zoneminder
Status: Zoneminder
Vendor: CVE Published:; 25 February 2023

What is CVE-2023-26039?

An OS Command Injection vulnerability exists in ZoneMinder, a popular open-source software for managing closed-circuit television systems, affecting versions prior to 1.36.33 and 1.37.33. This flaw allows authenticated users to construct API commands that can execute arbitrary shell commands as the web user, posing significant security risks. The vulnerability is addressed in the latest software releases, emphasizing the importance of updating to safeguard against potential exploitation.

Affected Version(s)

zoneminder < 1.36.33 < 1.36.33

zoneminder >= 1.37.0, < 1.37.33 < 1.37.0, 1.37.33

References

https://github.com/ZoneMinder/zoneminder/security/advisor...

x_refsource_CONFIRM

CVSS V3.1

Score:

7.1

Severity:

HIGH

Confidentiality:

Low

Integrity:

High

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Feb 25, 2023
Vulnerability Reserved
Feb 17, 2023

Zoneminder

What is CVE-2023-26039?

Affected Version(s)

References

CVSS V3.1

Timeline