OS Command Injection in ZoneMinder versions prior to 1.36.33 and 1.37.33 via daemonControl()

OS Command Injection in ZoneMinder versions prior to 1.36.33 and 1.37.33 via daemonControl()

CVE-2023-26039 · HIGH Severity

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

ZoneMinder is a free, open source Closed-circuit television software application for Linux which supports IP, USB and Analog cameras. Versions prior to 1.36.33 and 1.37.33 contain an OS Command Injection via daemonControl() in (/web/api/app/Controller/HostController.php). Any authenticated user can construct an api command to execute any shell command as the web user. This issue is patched in versions 1.36.33 and 1.37.33.

Learn more about our Cis Benchmark Audit For Distribution Independent Linux.