CVE-2017-5595

Published: Feb 6, 2017Modified: May 13, 2026

5.5

Vector

CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Exploitability: 1.8 / Impact: 3.6

Source: NVD

Description

A file disclosure and inclusion vulnerability exists in web/views/file.php in ZoneMinder 1.x through v1.30.0 because of unfiltered user-input being passed to readfile(), which allows an authenticated attacker to read local system files (e.g., /etc/passwd) in the context of the web server user (www-data). The attack vector is a .. (dot dot) in the path parameter within a zm/index.php?view=file&path= request.

Affected (1)

Products: Zoneminder: Zoneminder

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Zoneminder Zoneminder	Up to 1.30.0

Related CWEs

Exposure of Sensitive Information to an Unauthorized Actor

The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

References (8)

http://seclists.org/bugtraq/2017/Feb/6

Source: cve@mitre.org

PatchThird Party AdvisoryVDB Entry

http://seclists.org/fulldisclosure/2017/Feb/11

Source: cve@mitre.org

PatchThird Party AdvisoryVDB Entry

http://www.securityfocus.com/bid/96125

Source: cve@mitre.org

Third Party AdvisoryVDB Entry

https://github.com/ZoneMinder/ZoneMinder/commit/8b19fca9927cdec07cc9dd09bdcf2496a5ae69b3

Source: cve@mitre.org

PatchVendor Advisory

http://seclists.org/bugtraq/2017/Feb/6

Source: af854a3a-2127-422b-91ae-364da2661108

PatchThird Party AdvisoryVDB Entry

http://seclists.org/fulldisclosure/2017/Feb/11

Source: af854a3a-2127-422b-91ae-364da2661108

PatchThird Party AdvisoryVDB Entry

http://www.securityfocus.com/bid/96125

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party AdvisoryVDB Entry

https://github.com/ZoneMinder/ZoneMinder/commit/8b19fca9927cdec07cc9dd09bdcf2496a5ae69b3

Source: af854a3a-2127-422b-91ae-364da2661108

PatchVendor Advisory

Timeline

No history available yet.