Details of VAR-202302-2186

ID

VAR-202302-2186

CVE

CVE-2023-26032

TITLE

ZoneMinder In SQL Injection vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2023-004652

DESCRIPTION

ZoneMinder is a free, open source Closed-circuit television software application for Linux which supports IP, USB and Analog cameras. Versions prior to 1.36.33 and 1.37.33 contain SQL Injection via malicious jason web token. The Username field of the JWT token was trusted when performing an SQL query to load the user. If an attacker could determine the HASH key used by ZoneMinder, they could generate a malicious JWT token and use it to execute arbitrary SQL. This issue is fixed in versions 1.36.33 and 1.37.33. ZoneMinder for, SQL There is an injection vulnerability.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state

Trust: 1.71

sources: NVD: CVE-2023-26032 // JVNDB: JVNDB-2023-004652 // VULMON: CVE-2023-26032

IOT TAXONOMY

category:

['camera device']

sub_category:

camera

Trust: 0.1

sources: OTHER: None

AFFECTED PRODUCTS

vendor:	zoneminder	model:	zoneminder	scope:	gte	version:	1.37.00	Trust: 1.0
vendor:	zoneminder	model:	zoneminder	scope:	lt	version:	1.36.33	Trust: 1.0
vendor:	zoneminder	model:	zoneminder	scope:	lt	version:	1.37.33	Trust: 1.0
vendor:	zoneminder	model:	zoneminder	scope:	eq	version:	-	Trust: 0.8
vendor:	zoneminder	model:	zoneminder	scope:	eq	version:	1.36.33	Trust: 0.8
vendor:	zoneminder	model:	zoneminder	scope:	-	version:	-	Trust: 0.8
vendor:	zoneminder	model:	zoneminder	scope:	eq	version:	1.37.00 that's all 1.37.33	Trust: 0.8

sources: JVNDB: JVNDB-2023-004652 // NVD: CVE-2023-26032

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2023-26032
value:	HIGH
Trust: 1.0
security-advisories@github.com:	CVE-2023-26032
value:	HIGH
Trust: 1.0
NVD:	CVE-2023-26032
value:	HIGH
Trust: 0.8
CNNVD:	CNNVD-202302-2022
value:	HIGH
Trust: 0.6

nvd@nist.gov:	CVE-2023-26032
baseSeverity:	HIGH
baseScore:	8.1
vectorString:	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	HIGH
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	2.2
impactScore:	5.9
version:	3.1
Trust: 1.0
security-advisories@github.com:	CVE-2023-26032
baseSeverity:	HIGH
baseScore:	8.9
vectorString:	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:L
attackVector:	NETWORK
attackComplexity:	HIGH
privilegesRequired:	NONE
userInteraction:	NONE
scope:	CHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	LOW
exploitabilityScore:	2.2
impactScore:	6.0
version:	3.1
Trust: 1.0
NVD:	CVE-2023-26032
baseSeverity:	HIGH
baseScore:	8.1
vectorString:	CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	HIGH
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: JVNDB: JVNDB-2023-004652 // CNNVD: CNNVD-202302-2022 // NVD: CVE-2023-26032 // NVD: CVE-2023-26032

PROBLEMTYPE DATA

problemtype:	CWE-89	Trust: 1.0
problemtype:	SQL injection (CWE-89) [NVD evaluation ]	Trust: 0.8

sources: JVNDB: JVNDB-2023-004652 // NVD: CVE-2023-26032

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202302-2022

TYPE

SQL injection

Trust: 0.6

sources: CNNVD: CNNVD-202302-2022

PATCH

title:

ZoneMinder SQL Repair measures for injecting vulnerabilities

url:

http://123.124.177.30/web/xxk/bdxqById.tag?id=228058

Trust: 0.6

sources: CNNVD: CNNVD-202302-2022

EXTERNAL IDS

db:	NVD	id:	CVE-2023-26032	Trust: 3.4
db:	JVNDB	id:	JVNDB-2023-004652	Trust: 0.8
db:	CNNVD	id:	CNNVD-202302-2022	Trust: 0.6
db:	OTHER	id:	NONE	Trust: 0.1
db:	VULMON	id:	CVE-2023-26032	Trust: 0.1

sources: OTHER: None // VULMON: CVE-2023-26032 // JVNDB: JVNDB-2023-004652 // CNNVD: CNNVD-202302-2022 // NVD: CVE-2023-26032

REFERENCES

url:	https://github.com/zoneminder/zoneminder/security/advisories/ghsa-6c72-q9mw-mwx9	Trust: 2.5
url:	https://nvd.nist.gov/vuln/detail/cve-2023-26032	Trust: 0.8
url:	https://cxsecurity.com/cveshow/cve-2023-26032/	Trust: 0.6
url:	https://ieeexplore.ieee.org/abstract/document/10769424	Trust: 0.1
url:	https://nvd.nist.gov	Trust: 0.1

sources: OTHER: None // VULMON: CVE-2023-26032 // JVNDB: JVNDB-2023-004652 // CNNVD: CNNVD-202302-2022 // NVD: CVE-2023-26032

SOURCES

db:	OTHER	id:	-
db:	VULMON	id:	CVE-2023-26032
db:	JVNDB	id:	JVNDB-2023-004652
db:	CNNVD	id:	CNNVD-202302-2022
db:	NVD	id:	CVE-2023-26032

LAST UPDATE DATE

2025-01-30T19:49:02.561000+00:00

SOURCES UPDATE DATE

db:	VULMON	id:	CVE-2023-26032	date:	2023-02-26T00:00:00
db:	JVNDB	id:	JVNDB-2023-004652	date:	2023-11-01T02:03:00
db:	CNNVD	id:	CNNVD-202302-2022	date:	2023-03-08T00:00:00
db:	NVD	id:	CVE-2023-26032	date:	2023-11-07T04:09:17.300

SOURCES RELEASE DATE

db:	VULMON	id:	CVE-2023-26032	date:	2023-02-25T00:00:00
db:	JVNDB	id:	JVNDB-2023-004652	date:	2023-11-01T00:00:00
db:	CNNVD	id:	CNNVD-202302-2022	date:	2023-02-25T00:00:00
db:	NVD	id:	CVE-2023-26032	date:	2023-02-25T01:15:56.760