CVE-2023-26034
published 2023-02-25CVE-2023-26034: ZoneMinder is a free, open source Closed-circuit television software application for Linux which supports IP, USB and Analog cameras. Versions prior to 1.36.33…
PriorityP262high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
1.58%
72.4th percentile
ZoneMinder is a free, open source Closed-circuit television software application for Linux which supports IP, USB and Analog cameras. Versions prior to 1.36.33 and 1.37.33 are affected by a SQL Injection vulnerability. The (blind) SQL Injection vulnerability is present within the `filter[Query][terms][0][attr]` query string parameter of the `/zm/index.php` endpoint. A user with the View or Edit permissions of Events may execute arbitrary SQL. The resulting impact can include unauthorized data access (and modification), authentication and/or authorization bypass, and remote code execution.
Affected
7 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | zoneminder | < zoneminder 1.36.33+dfsg1-1 (bookworm) | zoneminder 1.36.33+dfsg1-1 (bookworm) |
| zoneminder | zoneminder | < 1.36.33 | 1.36.33 |
| zoneminder | zoneminder | — | — |
| zoneminder | zoneminder | >= 0 < 1.36.33+dfsg1-1 | 1.36.33+dfsg1-1 |
| zoneminder | zoneminder | >= 0 < 1.36.33+dfsg1-1 | 1.36.33+dfsg1-1 |
| zoneminder | zoneminder | >= 0 < 1.36.33+dfsg1-1 | 1.36.33+dfsg1-1 |
| zoneminder | zoneminder | >= 1.37.00 < 1.37.33 | 1.37.33 |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor HTTP requests to /zm/index.php for SQL injection patterns within the 'filter[Query][terms][0][attr]' query string parameter, which is the specific vulnerable parameter for this blind SQLi. ↗
- →This is a blind SQL injection; look for time-based or boolean-based SQLi payloads (e.g., SLEEP(), IF(), CASE WHEN) injected into the filter[Query][terms][0][attr] parameter of ZoneMinder's index.php. ↗
- →Exploitation requires a user with at minimum View permissions on Events; correlate with authenticated sessions when triaging alerts. ↗
- →Potential impact includes authentication/authorization bypass and remote code execution via SQL injection, not just data exfiltration — treat any confirmed exploitation as high severity. ↗
- ·Versions prior to 1.36.33 and 1.37.33 are vulnerable; patch to 1.36.33 or 1.37.33+ to remediate. Debian bullseye remains unresolved as of the advisory. ↗
- ·Debian bullseye is still listed as open/unpatched; systems running ZoneMinder on bullseye should be treated as unmitigated. ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
osv8.8HIGH
vendor_debian9.6LOW
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Debian
CVE-2023-26034: zoneminder - ZoneMinder is a free, open source Closed-circuit television software application...
vendor_debian·2023·CVSS 9.6
CVE-2023-26034 [CRITICAL] CVE-2023-26034: zoneminder - ZoneMinder is a free, open source Closed-circuit television software application...
ZoneMinder is a free, open source Closed-circuit television software application for Linux which supports IP, USB and Analog cameras. Versions prior to 1.36.33 and 1.37.33 are affected by a SQL Injection vulnerability. The (blind) SQL Injection vulnerability is present within the `filter[Query][terms][0][attr]` query string parameter of the `/zm/index.php` endpoint. A user with the View or Edit permissions of Events may execute arbitrary SQL. The resulting impact can include unauthorized data access (and modification), authentication and/or authorization bypass, and remote code execution.
Scope: local
bookworm: resolved (fixed in 1.36.33+dfsg1-1)
bullseye: open
forky: resolved (fixed in 1.36.33+dfsg1-1)
sid: resolved (fixed in 1.36.33+dfsg1-1)
trixie: resolved (fixed in 1.36.33+dfsg1-1)
OSV
CVE-2023-26034: ZoneMinder is a free, open source Closed-circuit television software application for Linux which supports IP, USB and Analog cameras
osv·2023-02-25·CVSS 8.8
CVE-2023-26034 [HIGH] CVE-2023-26034: ZoneMinder is a free, open source Closed-circuit television software application for Linux which supports IP, USB and Analog cameras
ZoneMinder is a free, open source Closed-circuit television software application for Linux which supports IP, USB and Analog cameras. Versions prior to 1.36.33 and 1.37.33 are affected by a SQL Injection vulnerability. The (blind) SQL Injection vulnerability is present within the `filter[Query][terms][0][attr]` query string parameter of the `/zm/index.php` endpoint. A user with the View or Edit permissions of Events may execute arbitrary SQL. The resulting impact can include unauthorized data access (and modification), authentication and/or authorization bypass, and remote code execution.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2023-02-25
Published