CVE-2023-26039 HIGH

CVE-2023-26039: ZoneMinder vulnerable to OS Command injection in daemonControl() API

Vendor Zoneminder

Product zoneminder

Weakness CWE-78

Published February 25, 2023

Last update March 10, 2025

View on NVD All CVEs

CVSS base score

7.1/10

Attack vector Network

Attack complexity Low

Privileges required Low

User interaction None

Confidentiality Low

Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N

What the vulnerability does

01Description

ZoneMinder is a free, open source Closed-circuit television software application for Linux which supports IP, USB and Analog cameras. Versions prior to 1.36.33 and 1.37.33 contain an OS Command Injection via daemonControl() in (/web/api/app/Controller/HostController.php). Any authenticated user can construct an api command to execute any shell command as the web user. This issue is patched in versions 1.36.33 and 1.37.33.

Key dates

02Disclosure timeline

February 25, 2023 CVE published

March 10, 2025 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2023-26039 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/78.html

Related vulnerabilities

Identifiers

CVE CVE-2023-26039

CWE CWE-78

CVSS 7.1 / HIGH

Affected versions

Vendor Zoneminder

Product zoneminder

Affected < 1.36.33

Vendor Zoneminder

Product zoneminder

Affected >= 1.37.0, < 1.37.33

CVE-2023-26039: ZoneMinder vulnerable to OS Command injection in daemonControl() API

01Description

02Disclosure timeline

03References

04Related CVE