{"id":"CVE-2017-5368","details":"ZoneMinder v1.30 and v1.29, an open-source CCTV server web application, is vulnerable to CSRF (Cross Site Request Forgery) which allows a remote attack to make changes to the web application as the current logged in victim. If the victim visits a malicious web page, the attacker can silently and automatically create a new admin user within the web application for remote persistence and further attacks. The URL is /zm/index.php and sample parameters could include action=user uid=0 newUser[Username]=attacker1 newUser[Password]=Password1234 conf_password=Password1234 newUser[System]=Edit (among others).","modified":"2026-04-16T06:22:27.663422358Z","published":"2017-02-06T17:59:00.547Z","references":[{"type":"WEB","url":"http://www.securityfocus.com/bid/96126"},{"type":"EVIDENCE","url":"http://seclists.org/bugtraq/2017/Feb/6"},{"type":"EVIDENCE","url":"http://seclists.org/fulldisclosure/2017/Feb/11"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/zoneminder/zoneminder","events":[{"introduced":"0"},{"last_affected":"6de2ab504c71217fa3797b9d041199795c3ca804"},{"introduced":"0"},{"last_affected":"e7aed10f77315505fa15f801e08ca2bb9f48e6e3"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"1.29.0"},{"introduced":"0"},{"last_affected":"1.30.0"}]}}],"versions":["v1.25","v1.26.0","v1.26.1","v1.26.2","v1.26.3","v1.26.5","v1.27.0","v1.29.0","v1.30.0","v1.30.0-rc1","v1.30.0-rc2"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2017-5368.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}]}