John Marzella

**Name of the Vulnerable Software and Affected Versions** ZoneMinder versions 1.29 through 1.30 **Description** The issue allows a remote attack to make changes to the web application as the current logged-in victim, enabling the creation of a new admin user within the application for remote persistence and further attacks. This can occur if the victim visits a malicious web page. The URL `/zm/index.php` is involved, with parameters such as `action`, `uid`, `newUser[Username]`, `newUser[Password]`, `conf password`, and `newUser[System]` being utilized. For example, `action=user`, `uid=0`, `newUser[Username]=attacker1`, `newUser[Password]=Password1234`, `conf password=Password1234`, and `newUser[System]=Edit`. **Recommendations** For ZoneMinder versions 1.29 and 1.30, consider disabling access to the `/zm/index.php` endpoint until a patch is available to prevent exploitation. Restrict the ability to create new admin users within the application to minimize the risk of remote persistence and further attacks. Avoid using the `newUser[Username]`, `newUser[Password]`, and `conf password` parameters in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.