Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact
6.8
CVSSv2

CVE-2017-5368

Published: 06/02/2017 Updated: 10/02/2017
CVSS v2 Base Score: 6.8 | Impact Score: 6.4 | Exploitability Score: 8.6
CVSS v3 Base Score: 8.8 | Impact Score: 5.9 | Exploitability Score: 2.8
VMScore: 605
Vector: AV:N/AC:M/Au:N/C:P/I:P/A:P
Subscribe to Zoneminder

Vulnerability Summary

ZoneMinder v1.30 and v1.29, an open-source CCTV server web application, is vulnerable to CSRF (Cross Site Request Forgery) which allows a remote attack to make changes to the web application as the current logged in victim. If the victim visits a malicious web page, the attacker can silently and automatically create a new admin user within the web application for remote persistence and further attacks. The URL is /zm/index.php and sample parameters could include action=user uid=0 newUser[Username]=attacker1 newUser[Password]=Password1234 conf_password=Password1234 newUser[System]=Edit (among others).

Vulnerable Product Search on Vulmon Subscribe to Product

zoneminder zoneminder 1.29.0

zoneminder zoneminder 1.30.0

Vendor Advisories

Debian CVElist Bug Report Logs: CVE-2016-10201 CVE-2016-10202 CVE-2016-10203 CVE-2016-10204 CVE-2016-10205 CVE-2016-10206
Debian Bug report logs - #854272 CVE-2016-10201 CVE-2016-10202 CVE-2016-10203 CVE-2016-10204 CVE-2016-10205 CVE-2016-10206 Package: src:zoneminder; Maintainer for src:zoneminder is Dmitry Smirnov <onlyjob@debianorg>; Reported by: Moritz Muehlenhoff <jmm@debianorg> Date: Sun, 5 Feb 2017 17:21:02 UTC Severity: grave ...
Debian CVElist Bug Report Logs: CVE-2016-10201 CVE-2016-10202 CVE-2016-10203 CVE-2016-10204 CVE-2016-10205 CVE-2016-10206
Debian Bug report logs - #854272 CVE-2016-10201 CVE-2016-10202 CVE-2016-10203 CVE-2016-10204 CVE-2016-10205 CVE-2016-10206 Package: src:zoneminder; Maintainer for src:zoneminder is Dmitry Smirnov <onlyjob@debianorg>; Reported by: Moritz Muehlenhoff <jmm@debianorg> Date: Sun, 5 Feb 2017 17:21:02 UTC Severity: grave ...
Debian CVElist Bug Report Logs: zoneminder: CVE-2017-5367 CVE-2017-5368 CVE-2017-5595
Debian Bug report logs - #854733 zoneminder: CVE-2017-5367 CVE-2017-5368 CVE-2017-5595 Package: src:zoneminder; Maintainer for src:zoneminder is Dmitry Smirnov <onlyjob@debianorg>; Reported by: Moritz Muehlenhoff <jmm@debianorg> Date: Thu, 9 Feb 2017 22:48:01 UTC Severity: grave Tags: security Found in version zo ...

Exploits

Exploit DB: ZoneMinder XSS / CSRF / File Disclosure / Authentication Bypass
Various ZoneMinder versions suffer from authentication bypass, cross site request forgery, cross site scripting, information disclosure, and file disclosure vulnerabilities ...

References

CWE-352http://seclists.org/fulldisclosure/2017/Feb/11http://seclists.org/bugtraq/2017/Feb/6http://www.securityfocus.com/bid/96126https://nvd.nist.govhttps://bugs.debian.org/cgi-bin/bugreport.cgi?bug=854272
CVSSv2
CVSSv2
CVSSv3
VMScore
Recommendations:
CVE-2024-34377CVE-2024-20859CVE-2023-49606injectarbitrary CVE-2024-33788CVE-2024-30973IDORCVE-2024-33907
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook