PT-2019-19030 · Zoneminder+1 · Zoneminder+1

Lorexxar233

Published

2018-12-14

Updated

2020-02-17

CVE-2019-8428

CVSS v3.1

9.8

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions ZoneMinder versions prior to 1.32.3

Description The issue allows for SQL Injection via the groupSql parameter in the skins/classic/views/control.php file, as demonstrated by a newGroup[MonitorIds][] value. This can be exploited through the API endpoint /skins/classic/views/control.php. The vulnerable parameter is newGroup[MonitorIds][].

Recommendations For versions prior to 1.32.3, update to version 1.32.3 or later to resolve the issue. As a temporary workaround, consider restricting access to the skins/classic/views/control.php file to minimize the risk of exploitation. Avoid using the newGroup[MonitorIds][] parameter in the affected API endpoint until the issue is resolved.

Exploit

Fix

SQL injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-89

Related Identifiers

ALT-PU-2018-2845

ALT-PU-2020-1092

ALT-PU-2020-1246

CVE-2019-8428

Affected Products

Alt Linux

Zoneminder

PT-2019-19030 · Zoneminder+1 · Zoneminder+1

CVE-2019-8428

Weakness Enumeration

Related Identifiers

Affected Products

References · 101