CVE-2019-8428 — SQL Injection in Zoneminder

CWE-89 — SQL Injection6 documents4 sources

Severity

9.8CRITICALNVD

OSV6.5

EPSS

0.3%

top 44.14%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Zoneminder Debian Zoneminder

Timeline

PublishedFeb 18

Latest updateMay 14

Description

ZoneMinder before 1.32.3 has SQL Injection via the skins/classic/views/control.php groupSql parameter, as demonstrated by a newGroup[MonitorIds][] value.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages3 packages

▶debiandebian/zoneminder< zoneminder 1.34.6-1 (bookworm)

▶NVDzoneminder/zoneminder< 1.32.3

▶Debianzoneminder/zoneminder< 1.34.6-1+3

🔴Vulnerability Details

GHSA

GHSA-7f2f-855w-j2r6: ZoneMinder before 1↗2022-05-14

▶

OSV

linux, linux-aws, linux-gcp, linux-gcp-5.3, linux-hwe, linux-kvm, linux-oracle, linux-oracle-5.3, linux-raspi2, linux-raspi2-5.3 vulnerabilities↗2020-04-10

▶

OSV

linux-azure, linux-gcp, linux-gke-5.0, linux-oem-osp1, linux-oracle-5.0 vulnerabilities↗2020-04-07

▶

OSV

CVE-2019-8428: ZoneMinder before 1↗2019-02-18

▶

📋Vendor Advisories

Debian

CVE-2019-8428: zoneminder - ZoneMinder before 1.32.3 has SQL Injection via the skins/classic/views/control.p...↗2019

▶