CVE-2023-26035

ZoneMinder is a free, open source Closed-circuit television software application for Linux which supports IP, USB and Analog cameras. Versions prior to 1.36.33 and 1.37.33 are vulnerable to Unauthenticated Remote Code Execution via Missing Authorization. There are no permissions check on the snapshot action, which expects an id to fetch an existing monitor but can be passed an object to create a new one instead. TriggerOn ends up calling shell_exec using the supplied Id. This issue is fixed in This issue is fixed in versions 1.36.33 and 1.37.33.

CVSS v3 9.8 CRITICAL

9.8^/10

CVSS v3 : CRITICAL

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
http://packetstormsecurity.com/files/175675/ZoneMinder-Snapshots-Command-Injection.html
https://github.com/ZoneMinder/zoneminder/security/advisories/GHSA-72rg-h4vf-29gr	Patch Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:zoneminder:zoneminder::::::::
	cpe:2.3:a:zoneminder:zoneminder::::::::

History

14 Nov 2023, 03:15

Type	Values Removed	Values Added
References		() http://packetstormsecurity.com/files/175675/ZoneMinder-Snapshots-Command-Injection.html -

07 Mar 2023, 17:00

Type	Values Removed	Values Added
CWE		CWE-862
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 9.8
First Time		Zoneminder Zoneminder zoneminder
References	~~(MISC) https://github.com/ZoneMinder/zoneminder/security/advisories/GHSA-72rg-h4vf-29gr -~~	(MISC) https://github.com/ZoneMinder/zoneminder/security/advisories/GHSA-72rg-h4vf-29gr - Patch, Vendor Advisory
CPE		cpe:2.3:a:zoneminder:zoneminder::::::::

25 Feb 2023, 02:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2023-02-25 02:15

Updated : 2023-12-10 14:48

NVD link : CVE-2023-26035

Mitre link : CVE-2023-26035

CVE.ORG link : CVE-2023-26035

JSON object : View

Products Affected

zoneminder

zoneminder

CWE

CWE-862

Missing Authorization

{"id": "CVE-2023-26035", "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}, {"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 7.2, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 2.7, "exploitabilityScore": 3.9}]}, "published": "2023-02-25T02:15:13.550", "references": [{"url": "http://packetstormsecurity.com/files/175675/ZoneMinder-Snapshots-Command-Injection.html", "source": "security-advisories@github.com"}, {"url": "https://github.com/ZoneMinder/zoneminder/security/advisories/GHSA-72rg-h4vf-29gr", "tags": ["Patch", "Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-862"}]}, {"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-862"}]}], "descriptions": [{"lang": "en", "value": "ZoneMinder is a free, open source Closed-circuit television software application for Linux which supports IP, USB and Analog cameras. Versions prior to 1.36.33 and 1.37.33 are vulnerable to Unauthenticated Remote Code Execution via Missing Authorization. There are no permissions check on the snapshot action, which expects an id to fetch an existing monitor but can be passed an object to create a new one instead. TriggerOn ends up calling shell_exec using the supplied Id. This issue is fixed in This issue is fixed in versions 1.36.33 and 1.37.33."}], "lastModified": "2023-11-14T03:15:08.390", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:zoneminder:zoneminder:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "A4A5EDFC-FCEB-4982-A3D1-C95814646A27", "versionEndExcluding": "1.36.33"}, {"criteria": "cpe:2.3:a:zoneminder:zoneminder:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "B1AF3896-BC5B-4FB6-842D-29B621F987E4", "versionEndExcluding": "1.37.33", "versionStartIncluding": "1.37.00"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}