{"id":"CVE-2017-5367","details":"Multiple reflected XSS vulnerabilities exist within form and link input parameters of ZoneMinder v1.30 and v1.29, an open-source CCTV server web application, which allows a remote attacker to execute malicious scripts within an authenticated client's browser. The URL is /zm/index.php and sample parameters could include action=login&view=postlogin[XSS] view=console[XSS] view=groups[XSS] view=events&filter[terms][1][cnj]=and[XSS] view=events&filter%5Bterms%5D%5B1%5D%5Bcnj%5D=and[XSS] view=events&filter%5Bterms%5D%5B1%5D%5Bcnj%5D=[XSS]and view=events&limit=1%22%3E%3C/a%3E[XSS] (among others).","modified":"2026-02-13T01:22:05.664866Z","published":"2017-02-06T17:59:00.500Z","related":["MGASA-2017-0162"],"references":[{"type":"WEB","url":"http://www.securityfocus.com/bid/96120"},{"type":"ADVISORY","url":"http://seclists.org/bugtraq/2017/Feb/6"},{"type":"ADVISORY","url":"http://seclists.org/fulldisclosure/2017/Feb/11"},{"type":"EVIDENCE","url":"http://seclists.org/bugtraq/2017/Feb/6"},{"type":"EVIDENCE","url":"http://seclists.org/fulldisclosure/2017/Feb/11"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/zoneminder/zoneminder","events":[{"introduced":"0"},{"last_affected":"6de2ab504c71217fa3797b9d041199795c3ca804"}]}],"versions":["v1.25","v1.26-beta.1","v1.26-beta.2","v1.26-beta.3","v1.26.0","v1.26.1","v1.26.2","v1.26.3","v1.26.4","v1.26.5","v1.27.0","v1.28.0","v1.29.0","v1.29.0-rc1","v1.29.0-rc2"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2017-5367.json"}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"}]}