API Exposes Database Log contents to user without privileges, allows insertion, modification, deletion of logs without System Privileges

High

connortechnology published GHSA-mpcx-3gvh-9488

Oct 7, 2022

Package

zoneminder (ZoneMinder)

Affected versions

<= 1.36.26, <= 1.37.23

Patched versions

1.36.27, 1.37.24

Description

Impact

ZoneMinder installations with users without System Edit or View privileges.

Patches

Workarounds

Disable Database Logging

For more information

If you have any questions or comments about this advisory:

Open an issue in https://github.com/ZoneMinder/zoneminder
Email us at info@zoneminder.com