VDB
CVE-2023-26035
CVE-2023-26035
PUBLISHED
CVSS 9.800000190734863 CRITICAL
ZoneMinder is a free, open source Closed-circuit television software application for Linux which supports IP, USB and Analog cameras. Versions prior to 1.36.33 and 1.37.33 are vulnerable to Unauthenticated Remote Code Execution via Missing Authorization. There are no permissions check on the snapshot action, which expects an id to fetch an existing monitor but can be passed an object to create a new one instead. TriggerOn ends up calling shell_exec using the supplied Id. This issue is fixed in This issue is fixed in versions 1.36.33 and 1.37.33.
EPSS 55.72% · 98.1th percentile
Risk Scores
CVSS v3.1
9.800000190734863
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score
55.72%
98.1th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| ZoneMinder | zoneminder | >= 1.37.0, < 1.37.33, *, >= 1.37.0, < 1.37.33 |
| zoneminder | zoneminder | 0, 1.37.00, 0 |
Timeline
- Feb 24, 2023 Metasploit Module
- Feb 25, 2023 CVE Published
- Feb 27, 2023 EPSS Score
- Apr 7, 2023 EPSS Score
- Jun 25, 2023 EPSS Score
- Sep 11, 2023 EPSS Score
- Nov 10, 2023 PoC Published
- Nov 11, 2023 EPSS Score
- Nov 14, 2023 PoC Published
- Nov 14, 2023 EPSS Score
- Nov 15, 2023 PoC Published
- Dec 12, 2023 EPSS Score