CVE-2023-26037 HIGH

CVE-2023-26037: ZoneMinder contains SQL Injection via report_event_audit

Vendor Zoneminder
Product zoneminder
Weakness CWE-89 · SQLi
Published February 25, 2023
Last update March 10, 2025

CVSS base score

8.9/10
Attack vector Network
Attack complexity High
Privileges required None
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:L

What the vulnerability does

01Description

ZoneMinder is a free, open source Closed-circuit television software application for Linux which supports IP, USB and Analog cameras. Versions prior to 1.36.33 and 1.37.33 contain an SQL Injection. The minTime and maxTime request parameters are not properly validated and could be used execute arbitrary SQL. This issue is fixed in versions 1.36.33 and 1.37.33.

Key dates

02Disclosure timeline

February 25, 2023 CVE published
March 10, 2025 Record updated