CVE-2023-26032

Name of the Vulnerable Software and Affected Versions ZoneMinder versions prior to 1.36.33 and 1.37.33

Description The issue concerns SQL Injection via a malicious JSON web token. The Username field of the JWT token was trusted when performing an SQL query to load the user. If an attacker could determine the HASH key used by ZoneMinder, they could generate a malicious JWT token and use it to execute arbitrary SQL.

Recommendations To resolve the issue, update to version 1.36.33 or 1.37.33, as these versions contain the fix for the SQL Injection vulnerability. As a temporary workaround, consider restricting access to the JWT token generation and validation process until the update is applied.