PatchSiren cyber security CVE debrief

CVE-2016-10206 Zoneminder CVE debrief

CVE-2016-10206 is a cross-site request forgery (CSRF) vulnerability in ZoneMinder 1.30.0 and earlier. According to the CVE record, a remote attacker could hijack an authenticated user’s session to submit requests that change passwords, with possible additional unspecified impact through a crafted user action request to index.php.

Vendor: Zoneminder
Product: CVE-2016-10206
CVSS: HIGH 8.8
CISA KEV: Not listed in stored evidence
Original CVE published: 2017-03-03
Original CVE updated: 2026-05-13
Advisory published: 2017-03-03
Advisory updated: 2026-05-13

Who should care

Administrators and security teams responsible for ZoneMinder deployments, especially installations running version 1.30.0 or earlier and any instance where authenticated users can access the web UI from untrusted browsing contexts.

Technical summary

The NVD record maps this issue to CWE-352 (CSRF) and assigns CVSS v3.0 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H). The vulnerable scope in the record is ZoneMinder versions up to and including 1.30.0. The documented attack pattern depends on user interaction: a crafted request can be made through the victim’s browser to index.php while the victim is authenticated, allowing unauthorized state-changing actions such as password changes. The source corpus does not provide a vendor fix note, patch version, or exploit details beyond the CSRF description.

Defensive priority

High

Recommended defensive actions

Inventory ZoneMinder installations and confirm whether any instance is running 1.30.0 or earlier.
Restrict access to the ZoneMinder web interface to trusted networks and authenticated administrative paths where possible.
Review whether the application has anti-CSRF protections enabled or available in your deployment.
Require users to avoid interacting with untrusted web content while authenticated to ZoneMinder, especially for privileged accounts.
Monitor for unexpected account or password changes and other state-changing requests in application logs.
Upgrade to a version newer than 1.30.0 if supported by your environment, or plan compensating controls if an upgrade is not immediately possible.

Evidence notes

All facts above are drawn from the supplied CVE/NVD corpus: the CVE description states CSRF in ZoneMinder 1.30 and earlier, remote authentication hijacking for password-change requests, and possible unspecified additional impact via a crafted request to index.php. The NVD metadata provides CVSS v3.0 8.8, CWE-352, and the vulnerable CPE range ending at 1.30.0. The provided references include an oss-security mailing list post dated 2017-02-05, a SecurityFocus BID entry, and a FoxMole advisory link. No further details were inferred from external content.

Official resources

CVE-2016-10206 CVE record
CVE.org
CVE-2016-10206 NVD detail
NVD
Source item URL
nvd_modified
Source reference
[email protected] - Exploit, Mailing List
Source reference
[email protected]
Mitigation or vendor reference
[email protected] - Exploit, Third Party Advisory

Public disclosure is reflected in the source corpus by the oss-security mailing list reference dated 2017-02-05, while the CVE record itself was published on 2017-03-03. The record was later modified on 2026-05-13; that modified date is not