Все бюллетени/c10f2/ALT-PU-2026-3736-2
ALT-PU-2026-3736-2

Обновление пакета zoneminder в ветке c10f2

Версия1.38.1-alt3
Задание#409069
Опубликовано2026-03-03
Макс. серьёзностьCRITICAL
Серьёзность:

Закрытые проблемы (2)

CVE-2025-65791
CRITICAL9.8

ZoneMinder v1.36.34 is vulnerable to Command Injection in web/views/image.php. The application passes unsanitized user input directly to the exec() function. NOTE: this is disputed by the Supplier because there is no unsanitized user input to web/views/image.php.

Опубликовано: 2026-02-18Изменено: 2026-03-11
CVSS 3.xКРИТИЧЕСКАЯ 9.8
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Ссылки
CVE-2026-27470
HIGH8.8

ZoneMinder is a free, open source closed-circuit television software application. In versions 1.36.37 and below and 1.37.61 through 1.38.0, there is a second-order SQL Injection vulnerability in the web/ajax/status.php file within the getNearEvents() function. Event field values (specifically Name and Cause) are stored safely via parameterized queries but are later retrieved and concatenated directly into SQL WHERE clauses without escaping. An authenticated user with Events edit and view permissions can exploit this to execute arbitrary SQL queries.

Опубликовано: 2026-02-21Изменено: 2026-02-24
CVSS 3.xВЫСОКАЯ 8.8
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Ссылки

Закрытые ошибки (7)

Ошибка #58033

После обновления до новой версии не грузит стрим с камеры