CVE-2023-31493 — Code Injection in Zoneminder

CWE-94 — Code Injection3 documents3 sources

Severity

6.6MEDIUMNVD

EPSS

2.5%

top 14.50%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Zoneminder Debian Zoneminder

Timeline

PublishedOct 15

Description

RCE (Remote Code Execution) exists in ZoneMinder through 1.36.33 as an attacker can create a new .php log file in language folder, while executing a crafted payload and escalate privileges allowing execution of any commands on the remote system.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:LExploitability: 1.8 | Impact: 4.7

Affected Packages2 packages

▶NVDzoneminder/zoneminder1.36.33

▶debiandebian/zoneminder

🔴Vulnerability Details

OSV

CVE-2023-31493: RCE (Remote Code Execution) exists in ZoneMinder through 1↗2024-10-15

▶

📋Vendor Advisories

Debian

CVE-2023-31493: zoneminder - RCE (Remote Code Execution) exists in ZoneMinder through 1.36.33 as an attacker ...↗2023

▶