Home > Vulnerability Database > CVE-2023-26035

Mend.io Vulnerability Database

CVE-2023-26035

Good to know:

Date: February 24, 2023

ZoneMinder is a free, open source Closed-circuit television software application for Linux which supports IP, USB and Analog cameras. Versions prior to 1.36.33 and 1.37.33 are vulnerable to Unauthenticated Remote Code Execution via Missing Authorization. There are no permissions check on the snapshot action, which expects an id to fetch an existing monitor but can be passed an object to create a new one instead. TriggerOn ends up calling shell_exec using the supplied Id. This issue is fixed in This issue is fixed in versions 1.36.33 and 1.37.33.

Language: PHP

Severity Score

9.8

Related Resources (5)

Url: http://packetstormsecurity.com/files/175675/ZoneMinder-Snapshots-Command-Injection.html

Url: https://nvd.nist.gov/vuln/detail/CVE-2023-26035

Url: https://github.com/ZoneMinder/zoneminder/security/advisories/GHSA-72rg-h4vf-29gr

Url: https://security-tracker.debian.org/tracker/CVE-2023-26035

Url: https://www.mend.io/vulnerability-database/CVE-2023-26035

Severity Score

9.8

Weakness Type (CWE)

Missing Authorization

CWE-862

Top Fix

Upgrade Version

Upgrade to version 1.36.33

Learn More

CVSS v3.1

Base Score:	9.8
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	HIGH
Integrity (I):	HIGH
Availability (A):	HIGH

Mend.io Vulnerability Database

We found results for “”

CVE-2023-26035

Good to know:

Date: February 24, 2023

Language: PHP

Severity Score

Related Resources (5)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?