CVE-2023-26034

Name of the Vulnerable Software and Affected Versions ZoneMinder versions prior to 1.36.33 and 1.37.33

Description The issue is a SQL Injection vulnerability present within the filter[Query][terms][0][attr] query string parameter of the "/zm/index.php" endpoint. A user with the View or Edit permissions of Events may execute arbitrary SQL, resulting in potential unauthorized data access and modification, authentication and/or authorization bypass, and remote code execution.

Recommendations For versions prior to 1.36.33, update to version 1.36.33 or later. For versions prior to 1.37.33, update to version 1.37.33 or later. As a temporary workaround, consider restricting access to the "/zm/index.php" endpoint and limiting the use of the filter[Query][terms][0][attr] query string parameter until a patch is applied.