CVE-2024-43360

CVSS v3.1

9.8

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions: ZoneMinder versions 1.36.33 through 1.37.43 ZoneMinder versions prior to 1.36.34 ZoneMinder versions prior to 1.37.61

Description: ZoneMinder is affected by a time-based SQL Injection vulnerability. The issue stems from improper sanitization of user input in the sort and mid parameters of the "/zm/index.php" endpoint. This vulnerability can allow an attacker to execute arbitrary code.

Recommendations: For ZoneMinder versions 1.36.33 through 1.37.43, update to version 1.36.34 or later. For ZoneMinder versions prior to 1.37.61, update to version 1.37.61 or later. As a temporary workaround, consider restricting access to the "/zm/index.php" endpoint until a patch is available. Avoid using the sort and mid parameters in the affected API endpoint until the issue is resolved.

Exploit

Fix

SQL injection

Buffer Overflow

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-89CWE-119

Related Identifiers

ALT-PU-2024-11690

ALT-PU-2024-11765

ALT-PU-2024-12153

ALT-PU-2024-12804

BDU:2024-11611

CVE-2024-43360

GHSA-9CMR-7437-V9FJ

Affected Products

Alt Linux

Debian

Zoneminder

CVE-2024-43360

Weakness Enumeration

Related Identifiers

Affected Products

References · 27