CVE-2024-51482 Overview
ZoneMinder is a free, open source closed-circuit television (CCTV) software application widely deployed for managing IP camera surveillance systems. CVE-2024-51482 is a boolean-based SQL injection vulnerability in the web/ajax/event.php component. The flaw affects ZoneMinder versions 1.37.* up to and including 1.37.64 and is resolved in version 1.37.65. An authenticated attacker with low privileges can inject arbitrary SQL through unsanitized request parameters, leading to database compromise across confidentiality, integrity, and availability boundaries.
Critical Impact
A low-privileged authenticated user can extract, modify, or destroy data in the ZoneMinder database and pivot to compromise the broader surveillance infrastructure.
Affected Products
- ZoneMinder 1.37.0 through 1.37.64
- ZoneMinder web component web/ajax/event.php
- Fixed in ZoneMinder 1.37.65
Discovery Timeline
- 2024-10-31 - CVE-2024-51482 published to NVD
- 2026-04-15 - Last updated in NVD database
Technical Details for CVE-2024-51482
Vulnerability Analysis
The vulnerability resides in the removetag action handler inside web/ajax/event.php. The handler reads the tid parameter directly from $_REQUEST and concatenates it into a SQL string without parameterization or type validation. An attacker can manipulate the tid value to craft boolean expressions that alter query logic. Because the query result drives application response behavior, a boolean-based blind SQL injection becomes feasible. Attackers can iteratively probe the database to exfiltrate credentials, session data, and configuration details that govern camera access and recording retention. The Common Weakness Enumeration classifies this issue as [CWE-89] Improper Neutralization of Special Elements used in an SQL Command.
Root Cause
The root cause is direct interpolation of user-controlled input into a SQL statement. The vulnerable code path takes $_REQUEST['tid'] and inserts it inline into SELECT * FROM Events_Tags WHERE TagId = $tagId. No prepared statement, type cast, or input validation guards this query.
Attack Vector
Exploitation requires network access to the ZoneMinder web interface and a valid low-privileged session. The attacker sends a crafted AJAX request to the event.php endpoint with a malicious tid payload. Because the scope changes during exploitation, the attacker can read or alter records outside the authenticated user's normal privilege boundary.
ajaxResponse(array('response'=>$response));
break;
case 'removetag' :
- $tagId = $_REQUEST['tid'];
+ $tagId = validCardinal($_REQUEST['tid']);
dbQuery('DELETE FROM Events_Tags WHERE TagId = ? AND EventId = ?', array($tagId, $_REQUEST['id']));
- $sql = "SELECT * FROM Events_Tags WHERE TagId = $tagId";
- $rowCount = dbNumRows($sql);
+ $rowCount = dbNumRows('SELECT * FROM Events_Tags WHERE TagId=?', [ $tagId ]);
if ($rowCount < 1) {
- $sql = 'DELETE FROM Tags WHERE Id = ?';
- $values = array($_REQUEST['tid']);
- $response = dbNumRows($sql, $values);
+ $response = dbNumRows('DELETE FROM Tags WHERE Id=?', [$tagId]);
ajaxResponse(array('response'=>$response));
}
ajaxResponse();
Source: ZoneMinder GitHub Commit 9e7d318. The patch replaces string interpolation with parameterized queries and validates tid through validCardinal() to enforce numeric input.
Detection Methods for CVE-2024-51482
Indicators of Compromise
- HTTP requests to /zm/index.php or /zm/ajax/event.php containing SQL metacharacters such as single quotes, UNION, SLEEP, AND 1=1, or comment sequences within the tid parameter.
- Repeated AJAX removetag actions from a single authenticated session over a short interval, indicating automated blind injection probing.
- Anomalous read or delete operations against the Events_Tags and Tags MariaDB or MySQL tables outside normal application workflows.
Detection Strategies
- Inspect web server access logs for event.php requests where the tid query parameter is non-numeric or exceeds expected length.
- Enable MySQL or MariaDB general query logging on ZoneMinder backends and alert on queries referencing Events_Tags that contain inline boolean expressions.
- Deploy a web application firewall rule that blocks SQL keywords in tid and id parameters submitted to ZoneMinder AJAX endpoints.
Monitoring Recommendations
- Track authentication events and correlate low-privileged sessions with bursts of event.php traffic.
- Monitor outbound database egress and CPU spikes on the ZoneMinder host, which can indicate time-based injection attempts.
- Forward ZoneMinder application logs and HTTP access logs to a centralized analytics platform for retroactive hunting.
How to Mitigate CVE-2024-51482
Immediate Actions Required
- Upgrade ZoneMinder to version 1.37.65 or later, which contains the official fix referenced in advisory GHSA-qm8h-3xvf-m7j3.
- Restrict access to the ZoneMinder web console to trusted networks using firewall ACLs or VPN gating.
- Audit existing user accounts and revoke unused or shared credentials that could be abused by an insider.
Patch Information
The upstream fix is delivered in commit 9e7d31841ed9678a7dd06869037686fc9925e59f and shipped with ZoneMinder 1.37.65. The patch replaces unsafe SQL string concatenation in web/ajax/event.php with prepared statements and validates the tid parameter through validCardinal(). Administrators running any 1.37.x release at or below 1.37.64 must apply this update.
Workarounds
- Apply the upstream patch manually to web/ajax/event.php if an immediate version upgrade is not feasible.
- Place ZoneMinder behind a reverse proxy that enforces strict input validation on the tid parameter, rejecting non-numeric values.
- Disable or restrict the removetag AJAX action at the web server level until the upgrade is completed.
# Example nginx rule to block non-numeric tid values on event.php
location ~ /zm/ajax/event\.php$ {
if ($arg_tid !~ "^[0-9]+$") {
return 400;
}
proxy_pass http://zoneminder_backend;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
