Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Vulnerabilities » CVE-2013-0232

Overview

Vulnerability Score 7.5 7.5
CVE Id CVE-2013-0232
Last Modified 29 Aug 2013 02:46:18
Published 20 Mar 2013 11:55:00
Confidentiality Impact PARTIAL PARTIAL
Integrity Impact PARTIAL PARTIAL
Availability Impact PARTIAL PARTIAL
Access Vector NETWORK
Access Complexity LOW
Authentication NONE

CVE-2013-0232

Summary

includes/functions.php in ZoneMinder Video Server 1.24.0, 1.25.0, and earlier allows remote attackers to execute arbitrary commands via shell metacharacters in the (1) runState parameter in the packageControl function; or (2) key or (3) command parameter in the setDeviceStatusX10 function.

Vulnerable Systems

Application

  • Zoneminder 1.24.0

  • Zoneminder 1.24.1

  • Zoneminder 1.24.2

  • Zoneminder 1.24.3

  • Zoneminder 1.24.4

  • Zoneminder 1.25.0


References

MISC - http://www.zoneminder.com/forums/viewtopic.php?f=29&t=20771

OSVDB - 89529

MLIST - [oss-security] 20130128 Re: CVE Request: zoneminder: arbitrary command execution vulnerability

EXPLOIT-DB - 24310

DEBIAN - DSA-2640

MISC - http://itsecuritysolutions.org/2013-01-22-ZoneMinder-Video-Server-arbitrary-command-execution-vulnerability/

MISC - http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=698910


Last Updated: 27 May 2016 11:02:05