Users login

Create an account »

JOIN XATRIX

Users login

Home » CVE Vulnerabilities » CVE-2017-5368

CVE-2017-5368 ZoneMinder v1.30 and v1.29, an open-source

  • CVE ID: CVE-2017-5368
  • Vendors: Zoneminder
  • Date: February 06, 2017
  • Severity: Medium
  • Impact score: 6.40
  • Exploit score: 8.60

ZoneMinder v1.30 and v1.29, an open-source CCTV server web application, is vulnerable to CSRF (Cross Site Request Forgery) which allows a remote attack to make changes to the web application as the current logged in victim. If the victim visits a malicious web page, the attacker can silently and automatically create a new admin user within the web application for remote persistence and further attacks. The URL is /zm/index.php and sample parameters could include action=user uid=0 newUser[Username]=attacker1 newUser[Password]=Password1234 conf_password=Password1234 newUser[System]=Edit (among others).

Newsletter signup

Signup to our monthly newsletter and stay in touch with IT news!

Free E-books

We've got ebooks! But they're not online. :( Please give us a few days to bring downloads back.

Contact

Have something to say or just wanna drop us a line? Please keep this in mind: to spam, we reply with spam.

Contact us »