Detections
Analytics

Alpine: multiple zoneminder packages: security update to 1.36.33-r0

critical Tenable Cloud Security Plugin ID 426410

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

 - ZoneMinder is a free, open source Closed-circuit television software application for Linux which supports
 IP, USB and Analog cameras. Versions prior to 1.36.33 and 1.37.33 are vulnerable to Unauthenticated Remote
 Code Execution via Missing Authorization. There are no permissions check on the snapshot action, which
 expects an id to fetch an existing monitor but can be passed an object to create a new one instead.
 TriggerOn ends up calling shell_exec using the supplied Id. This issue is fixed in This issue is fixed in
 versions 1.36.33 and 1.37.33. (CVE-2023-26035)

See Also

https://security.alpinelinux.org/vuln/CVE-2023-26035

Plugin Details

Severity: Critical

ID: 426410

Version: Revision 1.4

Type: Local

Published: 5/16/2025

Updated: 6/1/2026

Supported Sensors: Agentless Assessment

Risk Information

VPR

Risk Factor: High

Score: 7.4

CVSS v2

Risk Factor: Critical

Base Score: 10

Temporal Score: 8.3

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

CVSS Score Source: CVE-2023-26035

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Temporal Score: 9.1

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:F/RL:O/RC:C

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Vulnerability Publication Date: 2/25/2023

Exploitable With

Metasploit (ZoneMinder Snapshots Command Injection)

Reference Information

CVE: CVE-2023-26035