mirror/zoneminder

mirror of https://github.com/ZoneMinder/zoneminder.git synced 2026-03-25 01:01:53 -04:00

Files

History

Isaac Connor b036408a5b Fix RCE vulnerability via API config edit privilege escalation

Add RBAC checks to ConfigsController edit() and delete() requiring
System=Edit permission, matching the pattern used by other controllers.
Harden System/Readonly column checks with !empty() to handle missing
columns gracefully. Fix command injection in Event.php by using
ZM_PATH_FFMPEG constant with escapeshellarg() instead of hardcoded
unsanitized ffmpeg call. Add is_executable() validation at all exec()
sites using ZM_PATH_FFMPEG as defense-in-depth against poisoned config
values.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

2026-02-26 13:51:30 -05:00

..

Fix RCE vulnerability via API config edit privilege escalation

2026-02-26 13:51:30 -05:00

Upgrade cakephp to 2.10.24

2021-03-31 12:11:12 -04:00

.editorconfig

Moved the api to underneath the web directory

2014-04-29 20:41:04 +00:00

build.properties

Upgrade cakephp to 2.10.24

2021-03-31 12:11:12 -04:00

build.xml

Upgrade cakephp to 2.10.24

2021-03-31 12:11:12 -04:00

CMakeLists.txt

Update CMakeLists.txt

2017-05-03 12:35:54 -05:00

composer.json

fix: remove vulnerable phpunit dev dependency (CVE-2026-24765)

2026-02-11 21:59:03 -05:00

CONTRIBUTING.md

Upgrade cakephp to 2.10.24

2021-03-31 12:11:12 -04:00

index.php

Upgrade cakephp to 2.10.24

2021-03-31 12:11:12 -04:00

README.md

Text corrections

2023-08-27 02:00:59 +02:00

README.md

ZoneMinder API

This is the ZoneMinder API. It should be, for now, installed under the webroot e.g. /api.

app/Config/database.php.default must be configured and copied to app/Config/database.php

In addition, Security.salt and Security.cipherSeed in app/Config/core.php should be changed.

The API can run on a dedicated / separate instance, so long as it can access the database as configured in app/Config/database.php