Public exploit available

Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2013-0232 — Zoneminder vulnerability

8 documents7 sources

Severity

7.5HIGHNVD

EPSS

78.2%

top 0.98%

CISA KEV

Not in KEV

Exploit

PoC available

Public exploit / PoC exists

Affected products

Zoneminder Debian Zoneminder

Timeline

PublishedMar 20

Latest updateMay 5

Description

includes/functions.php in ZoneMinder Video Server 1.24.0, 1.25.0, and earlier allows remote attackers to execute arbitrary commands via shell metacharacters in the (1) runState parameter in the packageControl function; or (2) key or (3) command parameter in the setDeviceStatusX10 function.

CVSS vector

AV:N/AC:L/C:P/I:P/A:PExploitability: 10.0 | Impact: 6.4

Affected Packages3 packages

▶debiandebian/zoneminder< zoneminder 1.25.0-4 (bookworm)

▶Debianzoneminder/zoneminder< 1.25.0-4+3

▶NVDzoneminder/zoneminder6 versions+5

🔴Vulnerability Details

GHSA

GHSA-c4jr-gf6w-2x72: includes/functions↗2022-05-05

▶

OSV

CVE-2013-0232: includes/functions↗2013-03-20

▶

💥Exploits & PoCs

Exploit-DB

ZoneMinder Video Server - packageControl Command Execution (Metasploit)↗2013-01-24

▶

Metasploit

ZoneMinder Video Server packageControl Command Execution↗

▶

📋Vendor Advisories

Debian

CVE-2013-0232: zoneminder - includes/functions.php in ZoneMinder Video Server 1.24.0, 1.25.0, and earlier al...↗2013

▶

💬Community

Bugzilla

CVE-2013-0232 zoneminder: Arbitrary code execution due improper input sanitization in the 'setDeviceStatusX10' routine [fedora-all]↗2013-01-25

▶

Bugzilla

CVE-2013-0232 zoneminder: Arbitrary code execution due improper input sanitization in the 'setDeviceStatusX10' routine↗2013-01-25

▶