cbcvebase.
CVE-2023-26034
published 2023-02-25

CVE-2023-26034: ZoneMinder is a free, open source Closed-circuit television software application for Linux which supports IP, USB and Analog cameras. Versions prior to 1.36.33…

PriorityP262high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
1.58%
72.4th percentile
ZoneMinder is a free, open source Closed-circuit television software application for Linux which supports IP, USB and Analog cameras. Versions prior to 1.36.33 and 1.37.33 are affected by a SQL Injection vulnerability. The (blind) SQL Injection vulnerability is present within the `filter[Query][terms][0][attr]` query string parameter of the `/zm/index.php` endpoint. A user with the View or Edit permissions of Events may execute arbitrary SQL. The resulting impact can include unauthorized data access (and modification), authentication and/or authorization bypass, and remote code execution.

Affected

7 ranges
VendorProductVersion rangeFixed in
debianzoneminder< zoneminder 1.36.33+dfsg1-1 (bookworm)zoneminder 1.36.33+dfsg1-1 (bookworm)
zoneminderzoneminder< 1.36.331.36.33
zoneminderzoneminder
zoneminderzoneminder>= 0 < 1.36.33+dfsg1-11.36.33+dfsg1-1
zoneminderzoneminder>= 0 < 1.36.33+dfsg1-11.36.33+dfsg1-1
zoneminderzoneminder>= 0 < 1.36.33+dfsg1-11.36.33+dfsg1-1
zoneminderzoneminder>= 1.37.00 < 1.37.331.37.33

Detection & IOCsextracted from sources · hover to see the quote

url/zm/index.php
otherfilter[Query][terms][0][attr]
  • Monitor HTTP requests to /zm/index.php for SQL injection patterns within the 'filter[Query][terms][0][attr]' query string parameter, which is the specific vulnerable parameter for this blind SQLi.
  • This is a blind SQL injection; look for time-based or boolean-based SQLi payloads (e.g., SLEEP(), IF(), CASE WHEN) injected into the filter[Query][terms][0][attr] parameter of ZoneMinder's index.php.
  • Exploitation requires a user with at minimum View permissions on Events; correlate with authenticated sessions when triaging alerts.
  • Potential impact includes authentication/authorization bypass and remote code execution via SQL injection, not just data exfiltration — treat any confirmed exploitation as high severity.
  • ·Versions prior to 1.36.33 and 1.37.33 are vulnerable; patch to 1.36.33 or 1.37.33+ to remediate. Debian bullseye remains unresolved as of the advisory.
  • ·Debian bullseye is still listed as open/unpatched; systems running ZoneMinder on bullseye should be treated as unmitigated.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
osv8.8HIGH
vendor_debian9.6LOW
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.