CVE-2023-26038
First published: Sat Feb 25 2023(Updated: )
ZoneMinder is a free, open source Closed-circuit television software application for Linux which supports IP, USB and Analog cameras. Versions prior to 1.36.33 and 1.37.33 contain a Local File Inclusion (Untrusted Search Path) vulnerability via web/ajax/modal.php, where an arbitrary php file path can be passed in the request and loaded. This issue is patched in versions 1.36.33 and 1.37.33.
Credit: security-advisories@github.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Zoneminder Zoneminder | <1.36.33 | |
| Zoneminder Zoneminder | >=1.37.00<1.37.33 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Frequently Asked Questions
What is CVE-2023-26038?
CVE-2023-26038 is a Local File Inclusion (Untrusted Search Path) vulnerability in ZoneMinder versions prior to 1.36.33 and 1.37.33.
How does CVE-2023-26038 affect ZoneMinder?
CVE-2023-26038 allows an attacker to include arbitrary PHP files via the web/ajax/modal.php endpoint in ZoneMinder.
What is the severity of CVE-2023-26038?
CVE-2023-26038 has a severity score of 6.5 (medium).
How can I fix CVE-2023-26038?
To fix CVE-2023-26038, it is recommended to update ZoneMinder to version 1.36.33 or 1.37.33.
Where can I find more information about CVE-2023-26038?
You can find more information about CVE-2023-26038 in the advisory on the ZoneMinder GitHub security page.
- collector/nvd-index
- agent/weakness
- agent/type
- agent/tags
- agent/event
- agent/references
- agent/severity
- agent/author
- agent/description
- agent/remedy
- agent/last-modified-date
- agent/softwarecombine
- vendor/zoneminder
- canonical/zoneminder zoneminder
- version/zoneminder zoneminder/1.37.00