RCE (Remote Code Execution) exists in ZoneMinder through 1.36.33 as an attacker can create a new .php log file in language folder, while executing a crafted payload and escalate privileges allowing execution of any commands on the remote system.
History

Wed, 16 Oct 2024 19:15:00 +0000

Type Values Removed Values Added
First Time appeared Zoneminder
Zoneminder zoneminder
Weaknesses CWE-94
CPEs cpe:2.3:a:zoneminder:zoneminder:-:*:*:*:*:*:*:*
Vendors & Products Zoneminder
Zoneminder zoneminder
Metrics cvssV3_1

{'score': 6.6, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Tue, 15 Oct 2024 15:00:00 +0000

Type Values Removed Values Added
Description An arbitrary file upload vulnerability in the Languages folder of Zoneminder up to v1.36.33 allows attackers to execute arbitrary code via uploading a crafted PHP file. RCE (Remote Code Execution) exists in ZoneMinder through 1.36.33 as an attacker can create a new .php log file in language folder, while executing a crafted payload and escalate privileges allowing execution of any commands on the remote system.

Tue, 15 Oct 2024 14:45:00 +0000

Type Values Removed Values Added
Description An arbitrary file upload vulnerability in the Languages folder of Zoneminder up to v1.36.33 allows attackers to execute arbitrary code via uploading a crafted PHP file.
References

cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2024-10-15T00:00:00

Updated: 2024-10-16T18:56:57.965Z

Reserved: 2023-04-29T00:00:00

Link: CVE-2023-31493

cve-icon Vulnrichment

Updated: 2024-10-16T18:53:52.321Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2024-10-15T15:15:12.393

Modified: 2024-10-16T19:35:04.040

Link: CVE-2023-31493

cve-icon Redhat

No data.