00Xm1

**Name of the Vulnerable Software and Affected Versions** ZoneMinder versions prior to 1.36.33 and 1.37.33 **Description** The issue is a SQL Injection vulnerability present within the `filter[Query][terms][0][attr]` query string parameter of the "/zm/index.php" endpoint. A user with the View or Edit permissions of Events may execute arbitrary SQL, resulting in potential unauthorized data access and modification, authentication and/or authorization bypass, and remote code execution. **Recommendations** For versions prior to 1.36.33, update to version 1.36.33 or later. For versions prior to 1.37.33, update to version 1.37.33 or later. As a temporary workaround, consider restricting access to the "/zm/index.php" endpoint and limiting the use of the `filter[Query][terms][0][attr]` query string parameter until a patch is applied.