CVE-2024-51482

Name of the Vulnerable Software and Affected Versions ZoneMinder versions prior to 1.37.65

Description ZoneMinder, a free and open source closed-circuit television software application, contains a boolean-based SQL injection flaw. This issue occurs due to a lack of input validation for the tagId parameter within the 'web/ajax/event.php' endpoint, which allows a remote attacker to manipulate SQL queries and potentially execute arbitrary code.

Recommendations Update to version 1.37.65. As a temporary workaround, restrict access to the 'web/ajax/event.php' endpoint or avoid using the tagId parameter until the update is applied.