CVE-2023-41884 HIGH

CVE-2023-41884: ZoneMinder Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') in watch.php

Vendor Zoneminder

Product zoneminder

Weakness CWE-89 · SQLi

Published August 12, 2024

Last update August 13, 2024

View on NVD All CVEs

CVSS base score

7.1/10

Attack vector Network

Attack complexity Low

Privileges required Low

User interaction None

Confidentiality High

Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N

What the vulnerability does

01Description

ZoneMinder is a free, open source Closed-circuit television software application. In WWW/AJAX/watch.php, Line: 51 takes a few parameter in sql query without sanitizing it which makes it vulnerable to sql injection. This vulnerability is fixed in 1.36.34.

Key dates

02Disclosure timeline

August 12, 2024 CVE published

August 13, 2024 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2023-41884 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/89.html

Related vulnerabilities

CVE-2023-41884: ZoneMinder Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') in watch.php

01Description

02Disclosure timeline

03References

04Related CVE