CVE-2023-26035

Name of the Vulnerable Software and Affected Versions ZoneMinder versions prior to 1.36.33 and 1.37.33

Description The issue is related to the shell exec() function in ZoneMinder, a free, open-source Closed-circuit television software application for Linux. It supports IP, USB, and Analog cameras. The problem arises from a lack of authorization procedure, allowing a remote attacker to execute arbitrary code. Specifically, there are no permissions checks on the snapshot action, which expects an id to fetch an existing monitor but can be passed an object to create a new one instead. The TriggerOn function ends up calling shell exec() using the supplied Id.

Recommendations For versions prior to 1.36.33, update to version 1.36.33 or later. For versions prior to 1.37.33, update to version 1.37.33 or later. As a temporary workaround, consider restricting access to the snapshot action and the TriggerOn function until a patch is applied. Avoid passing objects to create new monitors via the id parameter in the snapshot action.