CVE-2013-0232 — zoneminder - several issues

Description

includes/functions.php in ZoneMinder Video Server 1.24.0, 1.25.0, and earlier allows remote attackers to execute arbitrary commands via shell metacharacters in the (1) runState parameter in the packageControl function; or (2) key or (3) command parameter in the setDeviceStatusX10 function.

How to fix CVE-2013-0232

To remediate CVE-2013-0232, upgrade the affected package to a fixed version below.

Debian/zoneminder—upgrade to 1.25.0-4 or later
Debian/zoneminder—upgrade to 1.24.2-8+squeeze1 or later

Is CVE-2013-0232 being exploited?

Likely — EPSS is 78.2%, placing CVE-2013-0232 in the top tier of vulnerabilities by exploitation probability. Prioritise patching.

Affected packages (2)

from 0, < 1.25.0-4
from 0, < 1.24.2-8+squeeze1

References (1)

ADVISORYsecurity-tracker.debian.org/tracker/CVE-2013-0232