Vulnerability Details : CVE-2013-0232
Public exploit exists!
includes/functions.php in ZoneMinder Video Server 1.24.0, 1.25.0, and earlier allows remote attackers to execute arbitrary commands via shell metacharacters in the (1) runState parameter in the packageControl function; or (2) key or (3) command parameter in the setDeviceStatusX10 function.
Products affected by CVE-2013-0232
- cpe:2.3:a:zoneminder:zoneminder:1.24.4:*:*:*:*:*:*:*
- cpe:2.3:a:zoneminder:zoneminder:1.25.0:*:*:*:*:*:*:*
- cpe:2.3:a:zoneminder:zoneminder:1.24.0:*:*:*:*:*:*:*
- cpe:2.3:a:zoneminder:zoneminder:1.24.1:*:*:*:*:*:*:*
- cpe:2.3:a:zoneminder:zoneminder:1.24.2:*:*:*:*:*:*:*
- cpe:2.3:a:zoneminder:zoneminder:1.24.3:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2013-0232
64.83%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 98 %
Percentile, the proportion of vulnerabilities that are scored at or less
Metasploit modules for CVE-2013-0232
-
ZoneMinder Video Server packageControl Command Execution
Disclosure Date: 2013-01-22First seen: 2020-04-26exploit/unix/webapp/zoneminder_packagecontrol_execThis module exploits a command execution vulnerability in ZoneMinder Video Server version 1.24.0 to 1.25.0 which could be abused to allow authenticated users to execute arbitrary commands under the context of the web server user. The 'packageControl' function in the
CVSS scores for CVE-2013-0232
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
7.5
|
HIGH | AV:N/AC:L/Au:N/C:P/I:P/A:P |
10.0
|
6.4
|
NIST |
References for CVE-2013-0232
-
http://www.exploit-db.com/exploits/24310
ZoneMinder Video Server - packageControl Command Execution (Metasploit) - Unix remote Exploit
-
http://www.zoneminder.com/forums/viewtopic.php?f=29&t=20771
Security issue - ZoneMinder Forums
-
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=698910
#698910 - zoneminder: CVE-2013-0232: arbitrary command execution vulnerability - Debian Bug report logs
-
http://itsecuritysolutions.org/2013-01-22-ZoneMinder-Video-Server-arbitrary-command-execution-vulnerability/
Exploit
-
http://www.debian.org/security/2013/dsa-2640
Debian -- Security Information -- DSA-2640-1 zoneminder
-
http://www.openwall.com/lists/oss-security/2013/01/28/2
oss-security - Re: CVE Request: zoneminder: arbitrary command execution vulnerability
Jump to