CVE-2023-26036

Name of the Vulnerable Software and Affected Versions ZoneMinder versions prior to 1.36.33 ZoneMinder versions prior to 1.37.33

Description The issue is a Local File Inclusion (Untrusted Search Path) vulnerability via /web/index.php. By controlling $view, any local file ending in .php can be executed. This is supposed to be mitigated by calling detaintPath, however detaintPath does not properly sandbox the path. This can be exploited by constructing paths like "..././", which get replaced by "../".

Recommendations For versions prior to 1.36.33, update to version 1.36.33 or later. For versions prior to 1.37.33, update to version 1.37.33 or later. As a temporary workaround, consider restricting access to the /web/index.php endpoint until a patch is available. Avoid using the $view variable in the affected API endpoint until the issue is resolved.