CVE-2017-5368

Published: Feb 6, 2017Modified: May 13, 2026

8.8

Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Exploitability: 2.8 / Impact: 5.9

Source: NVD

Description

ZoneMinder v1.30 and v1.29, an open-source CCTV server web application, is vulnerable to CSRF (Cross Site Request Forgery) which allows a remote attack to make changes to the web application as the current logged in victim. If the victim visits a malicious web page, the attacker can silently and automatically create a new admin user within the web application for remote persistence and further attacks. The URL is /zm/index.php and sample parameters could include action=user uid=0 newUser[Username]=attacker1 newUser[Password]=Password1234 conf_password=Password1234 newUser[System]=Edit (among others).

Affected (2)

Products: Zoneminder: Zoneminder

1 product

Configuration A

2 vulnerable

Vulnerable Software	Affected Versions
Zoneminder Zoneminder	Version 1.29.0
Zoneminder Zoneminder	Version 1.30.0

Related CWEs

Cross-Site Request Forgery (CSRF)

The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.

References (6)

http://seclists.org/bugtraq/2017/Feb/6

Source: cve@mitre.org

ExploitThird Party AdvisoryVDB Entry

http://seclists.org/fulldisclosure/2017/Feb/11

Source: cve@mitre.org

ExploitThird Party AdvisoryVDB Entry

http://www.securityfocus.com/bid/96126

Source: cve@mitre.org

http://seclists.org/bugtraq/2017/Feb/6

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitThird Party AdvisoryVDB Entry

http://seclists.org/fulldisclosure/2017/Feb/11

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitThird Party AdvisoryVDB Entry

http://www.securityfocus.com/bid/96126

Source: af854a3a-2127-422b-91ae-364da2661108

Timeline

No history available yet.