CVE-2023-26037

EUVD-2023-29923
ZoneMinder is a free, open source Closed-circuit television software application for Linux which supports IP, USB and Analog cameras. Versions prior to 1.36.33 and 1.37.33 contain an SQL Injection. The minTime and maxTime request parameters are not properly validated and could be used execute arbitrary SQL. This issue is fixed in versions 1.36.33 and 1.37.33.
SQL Injection
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
8.9 HIGH
NETWORK
HIGH
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:L
GitHub_MCNA
8.9 HIGH
NETWORK
HIGH
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:L
Base Score
CVSS 3.x
EPSS Score
Percentile: 72%
Affected Products (NVD)
VendorProductVersion
zoneminderzoneminder
𝑥
< 1.36.33
zoneminderzoneminder
1.37.00 ≤
𝑥
< 1.37.33
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
zoneminder
bookworm
1.36.33+dfsg1-1
fixed
bullseye
unimportant
sid
1.36.33+dfsg1-1
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
zoneminder
bionic
dne
focal
needs-triage
jammy
needs-triage
kinetic
ignored
lunar
ignored
mantic
ignored
noble
needs-triage
oracular
needs-triage
trusty
ignored
xenial
needs-triage
Common Weakness Enumeration
References
https://github.com/ZoneMinder/zoneminder/security/advisories/GHSA-65jp-2hj3-3733
https://github.com/ZoneMinder/zoneminder/security/advisories/GHSA-65jp-2hj3-3733