CVE-2023-26038

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2023-26038

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-26038.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2023-26038

Aliases

GHSA-wrx3-r8c4-r24w

Downstream

DEBIAN-CVE-2023-26038

UBUNTU-CVE-2023-26038

Published

2023-02-25T01:27:39.450Z

Modified

2026-04-10T04:56:11.461663Z

Severity

5.4 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N CVSS Calculator

Summary

ZoneMinder contains Local File Inclusion vulnerability via `web/ajax/modal.php`

Details

ZoneMinder is a free, open source Closed-circuit television software application for Linux which supports IP, USB and Analog cameras. Versions prior to 1.36.33 and 1.37.33 contain a Local File Inclusion (Untrusted Search Path) vulnerability via web/ajax/modal.php, where an arbitrary php file path can be passed in the request and loaded. This issue is patched in versions 1.36.33 and 1.37.33.

Database specific

{
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-426"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/26xxx/CVE-2023-26038.json"
}

References

Affected packages

Git / github.com/zoneminder/zoneminder

Affected ranges

Type: GIT
Repo: https://github.com/zoneminder/zoneminder
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

034ed3e21bad3050373300ab35083c86eda8d690

Affected versions

1.*

1.32.3

1.34.0

1.36.0

1.36.1

1.36.14

1.36.17

1.36.18

1.36.2

1.36.20

1.36.21

1.36.22

1.36.23

1.36.24

1.36.25

1.36.26

1.36.3

1.36.32

1.36.4

Other

list

v1.*

v1.25

v1.26.0

v1.26.1

v1.26.2

v1.26.3

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-26038.json"