CVE-2017-5368

ZoneMinder v1.30 and v1.29, an open-source CCTV server web application, is vulnerable to CSRF (Cross Site Request Forgery) which allows a remote attack to make changes to the web application as the current logged in victim. If the victim visits a malicious web page, the attacker can silently and automatically create a new admin user within the web application for remote persistence and further attacks. The URL is /zm/index.php and sample parameters could include action=user uid=0 newUser[Username]=attacker1 newUser[Password]=Password1234 conf_password=Password1234 newUser[System]=Edit (among others).
References
Link Resource
http://seclists.org/fulldisclosure/2017/Feb/11 Exploit Third Party Advisory VDB Entry
http://seclists.org/bugtraq/2017/Feb/6 Exploit Third Party Advisory VDB Entry
http://www.securityfocus.com/bid/96126
Advertisement

NeevaHost hosting service

Configurations

Configuration 1 (hide)

OR cpe:2.3:a:zoneminder:zoneminder:1.29.0:*:*:*:*:*:*:*
cpe:2.3:a:zoneminder:zoneminder:1.30.0:*:*:*:*:*:*:*

Information

Published : 2017-02-06 09:59

Updated : 2017-02-09 18:59


NVD link : CVE-2017-5368

Mitre link : CVE-2017-5368


JSON object : View

CWE
CWE-352

Cross-Site Request Forgery (CSRF)

Advertisement

dedicated server usa

Products Affected

zoneminder

  • zoneminder