Headline
CVE-2023-26039: Command injection in daemonControl() API
ZoneMinder is a free, open source Closed-circuit television software application for Linux which supports IP, USB and Analog cameras. Versions prior to 1.36.33 and 1.37.33 contain an OS Command Injection via daemonControl() in (/web/api/app/Controller/HostController.php). Any authenticated user can construct an api command to execute any shell command as the web user. This issue is patched in versions 1.36.33 and 1.37.33.
Package
zoneminder (ZoneMinder)
Affected versions
< 1.36.33, < 1.37.33
Patched versions
1.36.33, 1.37.33
Description
Impact
Command injection in daemonControl() (/web/api/app/Controller/HostController.php):
Any authenticated user can construct an api command to execute any shell command as the web user.
Patches
Fixed by 3bd58d8. Fix released in 1.36.33 and 1.37.33.
Workarounds
Apply patch manually.
###Credits Aymen Borgi