{"id":"DEBIAN-CVE-2017-5368","details":"ZoneMinder v1.30 and v1.29, an open-source CCTV server web application, is vulnerable to CSRF (Cross Site Request Forgery) which allows a remote attack to make changes to the web application as the current logged in victim. If the victim visits a malicious web page, the attacker can silently and automatically create a new admin user within the web application for remote persistence and further attacks. The URL is /zm/index.php and sample parameters could include action=user uid=0 newUser[Username]=attacker1 newUser[Password]=Password1234 conf_password=Password1234 newUser[System]=Edit (among others).","modified":"2026-03-11T07:25:00.856792Z","published":"2017-02-06T17:59:00.547Z","upstream":["CVE-2017-5368"],"references":[{"type":"ADVISORY","url":"https://security-tracker.debian.org/tracker/CVE-2017-5368"}],"affected":[{"package":{"name":"zoneminder","ecosystem":"Debian:11","purl":"pkg:deb/debian/zoneminder?arch=source"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"1.30.4+dfsg-1"}]}],"ecosystem_specific":{"urgency":"not yet assigned"},"database_specific":{"source":"https://storage.googleapis.com/osv-test-debian-osv/debian-cve-osv/DEBIAN-CVE-2017-5368.json"}},{"package":{"name":"zoneminder","ecosystem":"Debian:12","purl":"pkg:deb/debian/zoneminder?arch=source"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"1.30.4+dfsg-1"}]}],"ecosystem_specific":{"urgency":"not yet assigned"},"database_specific":{"source":"https://storage.googleapis.com/osv-test-debian-osv/debian-cve-osv/DEBIAN-CVE-2017-5368.json"}},{"package":{"name":"zoneminder","ecosystem":"Debian:13","purl":"pkg:deb/debian/zoneminder?arch=source"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"1.30.4+dfsg-1"}]}],"ecosystem_specific":{"urgency":"not yet assigned"},"database_specific":{"source":"https://storage.googleapis.com/osv-test-debian-osv/debian-cve-osv/DEBIAN-CVE-2017-5368.json"}},{"package":{"name":"zoneminder","ecosystem":"Debian:14","purl":"pkg:deb/debian/zoneminder?arch=source"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"1.30.4+dfsg-1"}]}],"ecosystem_specific":{"urgency":"not yet assigned"},"database_specific":{"source":"https://storage.googleapis.com/osv-test-debian-osv/debian-cve-osv/DEBIAN-CVE-2017-5368.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}]}