CVE-2022-29806

Name
CVE-2022-29806
Description
ZoneMinder before 1.36.13 allows remote code execution via an invalid language. Ability to create a debug log file at an arbitrary pathname contributes to exploitability.
NVD Severity
high
Other trackers
Mailing lists
Exploits
Forges
GitHub (code, issues), Aports (code, issues)

References

Type URI
MISC https://github.com/ZoneMinder/zoneminder/releases/tag/1.36.13
MISC https://forums.zoneminder.com/viewtopic.php?t=31638
MISC https://github.com/ZoneMinder/zoneminder/commit/9fee64b62fbdff5bf5ece1d617f1f53c7b1967cb
MISC https://krastanoel.com/cve/2022-29806
Exploit http://packetstormsecurity.com/files/166980/ZoneMinder-Language-Settings-Remote-Code-Execution.html

Match rules

CPE URI Source package Min version Max version
cpe:2.3:a:zoneminder:zoneminder:*:*:*:*:*:*:*:* zoneminder >= None < 1.36.13

Vulnerable and fixed packages

Source package Branch Version Maintainer Status
zoneminder 3.15-community 1.36.7-r1 Kaarle Ritvanen <kaarle.ritvanen@datakunkku.fi> possibly vulnerable