Home > Vulnerability Database > CVE-2023-26032

Mend.io Vulnerability Database

CVE-2023-26032

Good to know:

Date: February 24, 2023

ZoneMinder is a free, open source Closed-circuit television software application for Linux which supports IP, USB and Analog cameras. Versions prior to 1.36.33 and 1.37.33 contain SQL Injection via malicious jason web token. The Username field of the JWT token was trusted when performing an SQL query to load the user. If an attacker could determine the HASH key used by ZoneMinder, they could generate a malicious JWT token and use it to execute arbitrary SQL. This issue is fixed in versions 1.36.33 and 1.37.33.

Language: PHP

Severity Score

4.0

Related Resources (4)

Url: https://security-tracker.debian.org/tracker/CVE-2023-26032

Url: https://github.com/ZoneMinder/zoneminder/security/advisories/GHSA-6c72-q9mw-mwx9

Url: https://nvd.nist.gov/vuln/detail/CVE-2023-26032

Url: https://www.mend.io/vulnerability-database/CVE-2023-26032

Severity Score

4.0

Weakness Type (CWE)

SQL Injection

CWE-89

Top Fix

Upgrade Version

Upgrade to version 1.36.33

Learn More

CVSS v3

Base Score:	4.0
Attack Vector (AV):
Attack Complexity (AC):
Privileges Required (PR):
User Interaction (UI):
Scope (S):
Confidentiality (C):	NONE
Integrity (I):	PARTIAL
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

CVE-2023-26032

Good to know:

Date: February 24, 2023

Language: PHP

Severity Score

Related Resources (4)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3

Do you need more information?