cbcvebase.
CVE-2024-51482
published 2024-10-31

CVE-2024-51482: ZoneMinder is a free, open source closed-circuit television software application. ZoneMinder v1.37.* <= 1.37.64 is vulnerable to boolean-based SQL Injection in…

PriorityP274critical9.9CVSS 3.1
AVNACLPRLUINSCCHIHAH
EXPLOIT
EPSS
36.90%
98.3th percentile
ZoneMinder is a free, open source closed-circuit television software application. ZoneMinder v1.37.* <= 1.37.64 is vulnerable to boolean-based SQL Injection in function of web/ajax/event.php. This is fixed in 1.37.65.

Affected

2 ranges
VendorProductVersion rangeFixed in
debianzoneminder
zoneminderzoneminder

Detection & IOCsextracted from sources · hover to see the quote

url/zm/index.php?view=request&request=event&action=removetag&tid=1+AND+(SELECT+6435+FROM+(SELECT(SLEEP(7)))AbUy)
url/zm/index.php?view=request&request=event&action=removetag&tid=1
pathweb/ajax/event.php
  • Detect time-based blind SQL injection attempts against ZoneMinder's removetag action by monitoring for SLEEP() payloads in the 'tid' parameter of requests to /zm/index.php with action=removetag.
  • A successful exploitation probe returns HTTP 200 with a response body containing '{"result":"OK"' and a response duration >= 7 seconds, indicating a successful time-delay injection.
  • Monitor POST requests to /zm?view=login followed by GET requests to the removetag endpoint; this two-step pattern (authenticate then exploit) is the attack chain for CVE-2024-51482.
  • The vulnerable code path is specifically in web/ajax/event.php; alert on any SQL-injection-like patterns (AND, SLEEP, SELECT subqueries) appearing in the 'tid' query parameter routed through this file.
  • ·The vulnerability affects only ZoneMinder versions 1.37.* up to and including 1.37.64; version 1.37.65 and later are patched and should not be targeted by this specific exploit path.
  • ·Exploitation requires a prior authenticated session; the attack chain involves a login step before the SQL injection request, so unauthenticated detections alone may miss the full attack sequence.
  • ·The nuclei template uses a 30-second timeout for the injection request (@timeout: 30s) with a SLEEP(7) payload; detection rules based on response time should account for network latency to avoid false negatives.

CVSS provenance

nvdv3.19.9CRITICALCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
osv9.9CRITICAL
vendor_debian9.9LOW
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.