CVE-2023-31493

NameCVE-2023-31493
DescriptionRCE (Remote Code Execution) exists in ZoneMinder through 1.36.33 as an attacker can create a new .php log file in language folder, while executing a crafted payload and escalate privileges allowing execution of any commands on the remote system.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
zoneminder (PTS)bullseye1.34.23-1vulnerable
bookworm1.36.33+dfsg1-1vulnerable
forky, sid, trixie1.36.35+dfsg1-1vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
zonemindersource(unstable)(unfixed)unimportant

Notes

Only supported for trusted users/behind auth
https://medium.com/@dk50u1/rce-remote-code-execution-in-zoneminder-up-to-1-36-33-0686f5bcd370
Search for package or bug name: Reporting problems