Fixed in 609b22a and 6ffd2bd aa495eda6be0f4d027283c6d5392e0c0dc07fb5d6.
We add validation to Monitor ID and require authentication before processing actions. In addition we validate Monitor ID before calling shell commands.
Workarounds
Apply patches manually.
Credit
UnblvR
Severity
Critical
10.0
/ 10
CVSS base metrics
Attack vector
Network
Attack complexity
Low
Privileges required
None
User interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
None
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N
CVE ID
CVE-2023-26035
Weaknesses
No CWEs
You can’t perform that action at this time.
You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.
Impact
There's no permissions check on https://github.com/ZoneMinder/zoneminder/blob/master/web/includes/actions/snapshot.php#L25 and https://github.com/ZoneMinder/zoneminder/blob/master/web/includes/actions/snapshot.php#L36 is expecting an id to fetch an existing monitor but you can pass an object to create a new one instead. TriggerOn ends up calling shell_exec here
zoneminder/web/includes/Monitor.php
Lines 782 to 783 in 371f1ad
Patches
Fixed in 609b22a and 6ffd2bd aa495eda6be0f4d027283c6d5392e0c0dc07fb5d6.
We add validation to Monitor ID and require authentication before processing actions. In addition we validate Monitor ID before calling shell commands.
Workarounds
Apply patches manually.
Credit
UnblvR