CVE-2024-43360 Scanner
CVE-2024-43360 scanner - SQL Injection vulnerability in ZoneMinder
Short Info
Level
Critical
Single Scan
Single Scan
Can be used by
Asset Owner
Estimated Time
10 seconds
Time Interval
4 weeks
Scan only one
Domain, IPv4
Toolbox
-
ZoneMinder is an open-source software widely used for closed-circuit television (CCTV) systems. Security teams, surveillance operators, and IT administrators rely on ZoneMinder for effective monitoring and video management. It is compatible with a range of hardware, making it adaptable to various surveillance setups. ZoneMinder helps organizations manage and control multiple video streams, allowing centralized monitoring. Users deploy this software to enhance security and surveillance capabilities within private, public, and corporate environments.
This vulnerability in ZoneMinder allows unauthorized users to execute SQL injection attacks. It affects specific versions, 1.36.34 and 1.37.61, posing risks to data integrity. Through this attack, malicious actors can manipulate database queries, potentially gaining unauthorized access to sensitive information. Successful exploitation could lead to severe data breaches or other security compromises within the affected system.
The vulnerability exploits an SQL injection point within the ZoneMinder software's database querying process. Specifically, the flaw exists in the endpoint located at /zm/index.php
, where unsanitized input parameters enable time-based SQL injections. Attackers may manipulate the sort
parameter to control conditional delays, exploiting the software's failure to correctly sanitize and validate inputs. The issue is triggered by a SQL condition that, when manipulated, causes a conditional delay in the server's response, confirming the presence of the vulnerability. This injection vulnerability compromises data security by exposing backend data to potential extraction or modification.
When exploited, this SQL injection vulnerability can allow attackers to extract, alter, or delete sensitive information from the ZoneMinder database. Unauthorized access may result in data breaches, loss of confidentiality, and alteration of stored information. Attackers may also gain privileges within the system, compromising the integrity and availability of the surveillance data. In extreme cases, the vulnerability can enable attackers to disable or disrupt surveillance operations.
S4E provides proactive security management for your critical digital assets. By using the platform, you can safeguard against various vulnerabilities, from configuration issues to SQL injection attacks, enhancing your digital security profile. With extensive, detailed vulnerability assessments, S4E enables you to monitor, prioritize, and mitigate risks efficiently. Becoming a member allows access to continuous monitoring, timely alerts, and actionable reports to stay ahead of potential threats. Strengthen your security posture and protect your infrastructure today by joining the S4E community.
References: