First published: Sat Feb 25 2023(Updated: )
ZoneMinder is a free, open source Closed-circuit television software application for Linux which supports IP, USB and Analog cameras. Versions prior to 1.36.33 and 1.37.33 contain a Local File Inclusion (Untrusted Search Path) vulnerability via /web/index.php. By controlling $view, any local file ending in .php can be executed. This is supposed to be mitigated by calling detaintPath, however dentaintPath does not properly sandbox the path. This can be exploited by constructing paths like "..././", which get replaced by "../". This issue is patched in versions 1.36.33 and 1.37.33.
Credit: security-advisories@github.com
Affected Software | Affected Version | How to fix |
---|---|---|
Zoneminder Zoneminder | <1.36.33 | |
Zoneminder Zoneminder | >=1.37.00<1.37.33 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2023-26036 is a Local File Inclusion (Untrusted Search Path) vulnerability in ZoneMinder versions prior to 1.36.33 and 1.37.33.
CVE-2023-26036 has a severity rating of 9.8 (Critical).
CVE-2023-26036 allows an attacker to include arbitrary files on the server, potentially leading to remote code execution or unauthorized access to sensitive information.
To fix CVE-2023-26036, upgrade to ZoneMinder version 1.36.33 or 1.37.33 or later, which contain a fix for this vulnerability.
More information about CVE-2023-26036 can be found at the following link: [ZoneMinder Advisory](https://github.com/ZoneMinder/zoneminder/security/advisories/GHSA-h5m9-6jjc-cgmw).