CVE-2023-26037

NameCVE-2023-26037
DescriptionZoneMinder is a free, open source Closed-circuit television software application for Linux which supports IP, USB and Analog cameras. Versions prior to 1.36.33 and 1.37.33 contain an SQL Injection. The minTime and maxTime request parameters are not properly validated and could be used execute arbitrary SQL. This issue is fixed in versions 1.36.33 and 1.37.33.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
zoneminder (PTS)bullseye1.34.23-1vulnerable
sid, bookworm1.36.33+dfsg1-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
zonemindersource(unstable)1.36.33+dfsg1-1unimportant

Notes

Only supported for trusted users/behind auth
https://github.com/ZoneMinder/zoneminder/security/advisories/GHSA-65jp-2hj3-3733
https://github.com/ZoneMinder/zoneminder/commit/4f4ddaab3f982890750594c471bd6b8f72d05dbd
Search for package or bug name: Reporting problems