Your submission was sent successfully! Close

CVE-2017-5368

Published: 06 February 2017

ZoneMinder v1.30 and v1.29, an open-source CCTV server web application, is vulnerable to CSRF (Cross Site Request Forgery) which allows a remote attack to make changes to the web application as the current logged in victim. If the victim visits a malicious web page, the attacker can silently and automatically create a new admin user within the web application for remote persistence and further attacks. The URL is /zm/index.php and sample parameters could include action=user uid=0 newUser[Username]=attacker1 newUser[Password]=Password1234 conf_password=Password1234 newUser[System]=Edit (among others).

Priority

Medium

CVSS 3 base score: 8.8

Status

Package Release Status
zoneminder
Launchpad, Ubuntu, Debian
Upstream
Released (1.30.4+dfsg-1)
Ubuntu 21.10 (Impish Indri) Not vulnerable
(1.30.4+dfsg1-5)
Ubuntu 21.04 (Hirsute Hippo) Not vulnerable
(1.30.4+dfsg1-5)
Ubuntu 20.04 LTS (Focal Fossa) Not vulnerable
(1.30.4+dfsg1-5)
Ubuntu 18.04 LTS (Bionic Beaver) Does not exist

Ubuntu 16.04 ESM (Xenial Xerus) Ignored
(end of standard support, was needed)
Ubuntu 14.04 ESM (Trusty Tahr) Does not exist
(trusty was needed)