CVE-2023-26035 — HIGH (7.2)

Q: How severe is CVE-2023-26035?

CVE-2023-26035 has been rated HIGH with a CVSS base score of 7.2/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2023-26035?

Check the references section above for vendor advisories and patch information. Affected products include: Zoneminder Zoneminder.

Vulnerability Description

ZoneMinder is a free, open source Closed-circuit television software application for Linux which supports IP, USB and Analog cameras. Versions prior to 1.36.33 and 1.37.33 are vulnerable to Unauthenticated Remote Code Execution via Missing Authorization. There are no permissions check on the snapshot action, which expects an id to fetch an existing monitor but can be passed an object to create a new one instead. TriggerOn ends up calling shell_exec using the supplied Id. This issue is fixed in This issue is fixed in versions 1.36.33 and 1.37.33.

CVSS Score

7.2

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality

LOW

Integrity

LOW

Availability

NONE

Affected Products

Vendor	Product	Versions
Zoneminder	Zoneminder	< 1.36.33

Related Weaknesses (CWE)

CWE-862

References

FAQ

What is CVE-2023-26035?

CVE-2023-26035 is a vulnerability with a CVSS score of 7.2 (HIGH). ZoneMinder is a free, open source Closed-circuit television software application for Linux which supports IP, USB and Analog cameras. Versions prior to 1.36.33 and 1.37.33 are vulnerable to Unauthenti...

How severe is CVE-2023-26035?

CVE-2023-26035 has been rated HIGH with a CVSS base score of 7.2/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2023-26035?

Check the references section above for vendor advisories and patch information. Affected products include: Zoneminder Zoneminder.