Details of VAR-202302-1868

ID

VAR-202302-1868

CVE

CVE-2023-26037

TITLE

ZoneMinder In SQL Injection vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2023-004647

DESCRIPTION

ZoneMinder is a free, open source Closed-circuit television software application for Linux which supports IP, USB and Analog cameras. Versions prior to 1.36.33 and 1.37.33 contain an SQL Injection. The minTime and maxTime request parameters are not properly validated and could be used execute arbitrary SQL. This issue is fixed in versions 1.36.33 and 1.37.33. ZoneMinder for, SQL There is an injection vulnerability.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state

Trust: 1.71

sources: NVD: CVE-2023-26037 // JVNDB: JVNDB-2023-004647 // VULMON: CVE-2023-26037

IOT TAXONOMY

category:

['camera device']

sub_category:

camera

Trust: 0.1

sources: OTHER: None

AFFECTED PRODUCTS

vendor:	zoneminder	model:	zoneminder	scope:	gte	version:	1.37.00	Trust: 1.0
vendor:	zoneminder	model:	zoneminder	scope:	lt	version:	1.36.33	Trust: 1.0
vendor:	zoneminder	model:	zoneminder	scope:	lt	version:	1.37.33	Trust: 1.0
vendor:	zoneminder	model:	zoneminder	scope:	eq	version:	-	Trust: 0.8
vendor:	zoneminder	model:	zoneminder	scope:	eq	version:	1.36.33	Trust: 0.8
vendor:	zoneminder	model:	zoneminder	scope:	-	version:	-	Trust: 0.8
vendor:	zoneminder	model:	zoneminder	scope:	eq	version:	1.37.00 that's all 1.37.33	Trust: 0.8

sources: JVNDB: JVNDB-2023-004647 // NVD: CVE-2023-26037

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2023-26037
value:	CRITICAL
Trust: 1.0
security-advisories@github.com:	CVE-2023-26037
value:	HIGH
Trust: 1.0
NVD:	CVE-2023-26037
value:	CRITICAL
Trust: 0.8
CNNVD:	CNNVD-202302-2016
value:	CRITICAL
Trust: 0.6

nvd@nist.gov:	CVE-2023-26037
baseSeverity:	CRITICAL
baseScore:	9.8
vectorString:	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	3.9
impactScore:	5.9
version:	3.1
Trust: 1.0
security-advisories@github.com:	CVE-2023-26037
baseSeverity:	HIGH
baseScore:	8.9
vectorString:	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:L
attackVector:	NETWORK
attackComplexity:	HIGH
privilegesRequired:	NONE
userInteraction:	NONE
scope:	CHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	LOW
exploitabilityScore:	2.2
impactScore:	6.0
version:	3.1
Trust: 1.0
NVD:	CVE-2023-26037
baseSeverity:	CRITICAL
baseScore:	9.8
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: JVNDB: JVNDB-2023-004647 // CNNVD: CNNVD-202302-2016 // NVD: CVE-2023-26037 // NVD: CVE-2023-26037

PROBLEMTYPE DATA

problemtype:	CWE-89	Trust: 1.0
problemtype:	SQL injection (CWE-89) [NVD evaluation ]	Trust: 0.8

sources: JVNDB: JVNDB-2023-004647 // NVD: CVE-2023-26037

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202302-2016

TYPE

SQL injection

Trust: 0.6

sources: CNNVD: CNNVD-202302-2016

PATCH

title:

ZoneMinder SQL Repair measures for injecting vulnerabilities

url:

http://123.124.177.30/web/xxk/bdxqById.tag?id=228054

Trust: 0.6

sources: CNNVD: CNNVD-202302-2016

EXTERNAL IDS

db:	NVD	id:	CVE-2023-26037	Trust: 3.4
db:	JVNDB	id:	JVNDB-2023-004647	Trust: 0.8
db:	CNNVD	id:	CNNVD-202302-2016	Trust: 0.6
db:	OTHER	id:	NONE	Trust: 0.1
db:	VULMON	id:	CVE-2023-26037	Trust: 0.1

sources: OTHER: None // VULMON: CVE-2023-26037 // JVNDB: JVNDB-2023-004647 // CNNVD: CNNVD-202302-2016 // NVD: CVE-2023-26037

REFERENCES

url:	https://github.com/zoneminder/zoneminder/security/advisories/ghsa-65jp-2hj3-3733	Trust: 2.5
url:	https://nvd.nist.gov/vuln/detail/cve-2023-26037	Trust: 0.8
url:	https://cxsecurity.com/cveshow/cve-2023-26037/	Trust: 0.6
url:	https://ieeexplore.ieee.org/abstract/document/10769424	Trust: 0.1
url:	https://nvd.nist.gov	Trust: 0.1

sources: OTHER: None // VULMON: CVE-2023-26037 // JVNDB: JVNDB-2023-004647 // CNNVD: CNNVD-202302-2016 // NVD: CVE-2023-26037

SOURCES

db:	OTHER	id:	-
db:	VULMON	id:	CVE-2023-26037
db:	JVNDB	id:	JVNDB-2023-004647
db:	CNNVD	id:	CNNVD-202302-2016
db:	NVD	id:	CVE-2023-26037

LAST UPDATE DATE

2025-01-30T19:43:14.379000+00:00

SOURCES UPDATE DATE

db:	VULMON	id:	CVE-2023-26037	date:	2023-02-26T00:00:00
db:	JVNDB	id:	JVNDB-2023-004647	date:	2023-11-01T01:56:00
db:	CNNVD	id:	CNNVD-202302-2016	date:	2023-03-08T00:00:00
db:	NVD	id:	CVE-2023-26037	date:	2023-03-07T16:52:10.330

SOURCES RELEASE DATE

db:	VULMON	id:	CVE-2023-26037	date:	2023-02-25T00:00:00
db:	JVNDB	id:	JVNDB-2023-004647	date:	2023-11-01T00:00:00
db:	CNNVD	id:	CNNVD-202302-2016	date:	2023-02-25T00:00:00
db:	NVD	id:	CVE-2023-26037	date:	2023-02-25T02:15:13.770