CVE-2013-0232

Name of the Vulnerable Software and Affected Versions ZoneMinder Video Server versions 1.24.0 and earlier ZoneMinder Video Server version 1.25.0

Description The issue allows remote attackers to execute arbitrary commands. This can be achieved via shell metacharacters in the runState parameter in the packageControl function, or the key or command parameter in the setDeviceStatusX10 function.

Recommendations For ZoneMinder Video Server versions 1.24.0 and earlier, and version 1.25.0, consider disabling the packageControl and setDeviceStatusX10 functions until a patch is available to prevent exploitation. Restrict access to the includes/functions.php file to minimize the risk of arbitrary command execution. Avoid using the runState, key, and command parameters in the affected functions until the issue is resolved.