Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
ZoneMinder: Second-Order SQL Injection in `getNearEvents()` via Stored Event Name and Cause Fields
Vulnerability Description
ZoneMinder is a free, open source closed-circuit television software application. In versions 1.36.37 and below and 1.37.61 through 1.38.0, there is a second-order SQL Injection vulnerability in the web/ajax/status.php file within the getNearEvents() function. Event field values (specifically Name and Cause) are stored safely via parameterized queries but are later retrieved and concatenated directly into SQL WHERE clauses without escaping. An authenticated user with Events edit and view permissions can exploit this to execute arbitrary SQL queries.
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Vulnerability Type
SQL命令中使用的特殊元素转义处理不恰当(SQL注入)
Vulnerability Title
ZoneMinder SQL注入漏洞
Vulnerability Description
ZoneMinder是ZoneMinder开源的一套开源的视频监控软件系统。该系统支持IP、USB和模拟摄像机等。 ZoneMinder 1.36.37及之前版本和1.37.61版本至1.38.0版本存在SQL注入漏洞,该漏洞源于web/ajax/status.php文件中getNearEvents函数存在二阶SQL注入,可能导致执行任意SQL查询。
CVSS Information
N/A
Vulnerability Type
N/A