CVE-2023-31493

Name of the Vulnerable Software and Affected Versions ZoneMinder versions up to 1.36.33

Description A Remote Code Execution (RCE) issue exists, allowing an attacker to create a new .php log file in the language folder and execute a crafted payload, escalating privileges to execute any commands on the remote system. This is due to an arbitrary file upload vulnerability in the Languages folder, enabling attackers to execute arbitrary code via uploading a crafted PHP file.

Recommendations For ZoneMinder versions up to 1.36.33, patch immediately to the latest version to resolve the issue. As a temporary workaround, consider restricting access to the language folder to minimize the risk of exploitation. Avoid using the language folder for uploading files until the issue is resolved.