First published: Sat Feb 25 2023(Updated: )
ZoneMinder is a free, open source Closed-circuit television software application for Linux which supports IP, USB and Analog cameras. Versions prior to 1.36.33 and 1.37.33 contain a Local File Inclusion (Untrusted Search Path) vulnerability via web/ajax/modal.php, where an arbitrary php file path can be passed in the request and loaded. This issue is patched in versions 1.36.33 and 1.37.33.
Credit: security-advisories@github.com
Affected Software | Affected Version | How to fix |
---|---|---|
Zoneminder Zoneminder | <1.36.33 | |
Zoneminder Zoneminder | >=1.37.00<1.37.33 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2023-26038 is a Local File Inclusion (Untrusted Search Path) vulnerability in ZoneMinder versions prior to 1.36.33 and 1.37.33.
CVE-2023-26038 allows an attacker to include arbitrary PHP files via the web/ajax/modal.php endpoint in ZoneMinder.
CVE-2023-26038 has a severity score of 6.5 (medium).
To fix CVE-2023-26038, it is recommended to update ZoneMinder to version 1.36.33 or 1.37.33.
You can find more information about CVE-2023-26038 in the advisory on the ZoneMinder GitHub security page.