{"id":"UBUNTU-CVE-2017-5368","details":"ZoneMinder v1.30 and v1.29, an open-source CCTV server web application, is vulnerable to CSRF (Cross Site Request Forgery) which allows a remote attack to make changes to the web application as the current logged in victim. If the victim visits a malicious web page, the attacker can silently and automatically create a new admin user within the web application for remote persistence and further attacks. The URL is /zm/index.php and sample parameters could include action=user uid=0 newUser[Username]=attacker1 newUser[Password]=Password1234 conf_password=Password1234 newUser[System]=Edit (among others).","modified":"2025-09-08T16:44:06Z","published":"2017-02-06T17:59:00Z","upstream":["CVE-2017-5368"],"references":[{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2017-5368"},{"type":"REPORT","url":"http://seclists.org/bugtraq/2017/Feb/6"},{"type":"REPORT","url":"http://seclists.org/fulldisclosure/2017/Feb/11"},{"type":"REPORT","url":"http://www.openwall.com/lists/oss-security/2017/02/05/1"},{"type":"REPORT","url":"https://github.com/ZoneMinder/ZoneMinder/issues/1803"},{"type":"REPORT","url":"https://github.com/ZoneMinder/zoneminder/pull/1822"},{"type":"REPORT","url":"https://www.cve.org/CVERecord?id=CVE-2017-5368"}],"affected":[{"package":{"name":"zoneminder","ecosystem":"Ubuntu:Pro:16.04:LTS","purl":"pkg:deb/ubuntu/zoneminder@1.29.0+dfsg-1ubuntu2+esm1?arch=source&distro=esm-apps/xenial"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["1.28.1-8","1.29.0+dfsg-1","1.29.0+dfsg-1ubuntu1","1.29.0+dfsg-1ubuntu2","1.29.0+dfsg-1ubuntu2+esm1"],"ecosystem_specific":{"binaries":[{"binary_name":"zoneminder","binary_version":"1.29.0+dfsg-1ubuntu2+esm1"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2017/UBUNTU-CVE-2017-5368.json"}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"type":"Ubuntu","score":"medium"}]}