SQL Injection Vulnerability in ZoneMinder's WWW/AJAX/watch.php
CVE-2023-41884

6.5MEDIUM

Key Information:

Vendor
Zoneminder
Status
Zoneminder
Vendor
CVE Published:
12 August 2024

Summary

A vulnerability exists in ZoneMinder, an open-source closed-circuit television software, that makes it susceptible to SQL injection attacks. The issue arises from improperly sanitized inputs in the SQL queries, particularly noted in the WWW/AJAX/watch.php file. This flaw allows potential attackers to manipulate SQL queries, leading to unauthorized data access and manipulation. The vulnerability has been addressed in version 1.36.34 of the software, highlighting the importance of timely updates and security practices for users of ZoneMinder.

Affected Version(s)

zoneminder < 1.36.34

References

https://github.com/ZoneMinder/zoneminder/security/advisor...
x_refsource_CONFIRM
https://github.com/ZoneMinder/zoneminder/commit/677f6a315...
x_refsource_MISC
https://github.com/ZoneMinder/zoneminder/commit/a194fe81d...
x_refsource_MISC

CVSS V3.1

Score:
6.5
Severity:
MEDIUM
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.