CVE-2017-5367

Name of the Vulnerable Software and Affected Versions ZoneMinder versions 1.29 through 1.30

Description Multiple reflected XSS vulnerabilities exist within form and link input parameters of ZoneMinder, an open-source CCTV server web application. This allows a remote attacker to execute malicious scripts within an authenticated client's browser. The URL is /zm/index.php and sample parameters could include action=login, view=postlogin, view=console, view=groups, view=events&filter[terms][1][cnj]=and, and view=events&limit=1.

Recommendations For ZoneMinder version 1.29, update to a version that fixes the reflected XSS vulnerabilities. For ZoneMinder version 1.30, update to a version that fixes the reflected XSS vulnerabilities. As a temporary workaround, consider restricting access to the vulnerable parameters, such as view and filter[terms][1][cnj], until a patch is available.