Unblvr

**Name of the Vulnerable Software and Affected Versions** ZoneMinder versions prior to 1.36.33 and 1.37.33 **Description** The issue is related to the `shell exec()` function in ZoneMinder, a free, open-source Closed-circuit television software application for Linux. It supports IP, USB, and Analog cameras. The problem arises from a lack of authorization procedure, allowing a remote attacker to execute arbitrary code. Specifically, there are no permissions checks on the snapshot action, which expects an `id` to fetch an existing monitor but can be passed an object to create a new one instead. The `TriggerOn` function ends up calling `shell exec()` using the supplied `Id`. **Recommendations** For versions prior to 1.36.33, update to version 1.36.33 or later. For versions prior to 1.37.33, update to version 1.37.33 or later. As a temporary workaround, consider restricting access to the snapshot action and the `TriggerOn` function until a patch is applied. Avoid passing objects to create new monitors via the `id` parameter in the snapshot action.