Public exploit available

Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2008-3880 — SQL Injection in Zoneminder

CWE-89 — SQL Injection CWE-77 — Command Injection CWE-79 — Cross-site Scripting7 documents7 sources

Severity

7.5HIGHNVD

EPSS

0.4%

top 37.90%

CISA KEV

Not in KEV

Exploit

PoC available

Public exploit / PoC exists

Affected products

Zoneminder Debian Zoneminder

Timeline

PublishedSep 2

Latest updateMay 2

Description

SQL injection vulnerability in zm_html_view_event.php in ZoneMinder 1.23.3 and earlier allows remote attackers to execute arbitrary SQL commands via the filter array parameter.

CVSS vector

AV:N/AC:L/C:P/I:P/A:PExploitability: 10.0 | Impact: 6.4

Affected Packages3 packages

▶debiandebian/zoneminder< zoneminder 1.24.1-1 (bookworm)

▶Debianzoneminder/zoneminder< 1.24.1-1+3

▶NVDzoneminder/zoneminder1.23.3+36

🔴Vulnerability Details

GHSA

GHSA-fg4c-q4wp-fvrw: SQL injection vulnerability in zm_html_view_event↗2022-05-02

▶

OSV

CVE-2008-3880: SQL injection vulnerability in zm_html_view_event↗2008-09-02

▶

💥Exploits & PoCs

Exploit-DB

airVisionNVR 1.1.13 - 'readfile()' Disclosure / SQL Injection↗2012-10-15

▶

📋Vendor Advisories

Red Hat

zoneminder: command injection, SQL injection and multiple XSS issues (CVE-2008-3882, CVE-2008-3880, CVE-2008-3881)↗2008-08-26

▶

Debian

CVE-2008-3880: zoneminder - SQL injection vulnerability in zm_html_view_event.php in ZoneMinder 1.23.3 and e...↗2008

▶

💬Community

Bugzilla

zoneminder: command injection, SQL injection and multiple XSS issues (CVE-2008-3882, CVE-2008-3880, CVE-2008-3881)↗2008-08-27

▶