PatchSiren cyber security CVE debrief

CVE-2017-5367 Zoneminder CVE debrief

CVE-2017-5367 is a reflected cross-site scripting issue affecting ZoneMinder v1.29 and v1.30. According to the CVE/NVD record, multiple form and link input parameters in /zm/index.php can be abused to inject script that runs in an authenticated client’s browser. The issue was publicly disclosed on 2017-02-06 and was assigned a medium-severity CVSS 3.0 score of 6.1.

Vendor: Zoneminder
Product: CVE-2017-5367
CVSS: MEDIUM 6.1
CISA KEV: Not listed in stored evidence
Original CVE published: 2017-02-06
Original CVE updated: 2026-05-13
Advisory published: 2017-02-06
Advisory updated: 2026-05-13

Who should care

Administrators and operators of ZoneMinder deployments, especially instances still running v1.29 or v1.30. Security teams should also care if the application is exposed to authenticated users in shared or high-trust browser sessions, since the impact depends on user interaction and browser context.

Technical summary

The NVD record classifies the weakness as CWE-79 (Improper Neutralization of Input During Web Page Generation). The vulnerability is reflected XSS in the ZoneMinder web interface, centered on /zm/index.php, where multiple request parameters can reflect attacker-controlled content into a page viewed by an authenticated user. The published CVSS vector is CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N, indicating network reachability, low complexity, required user interaction, and limited confidentiality/integrity impact through browser-side script execution.

Defensive priority

Moderate. This is not marked as KEV in the supplied data, but it is a publicly disclosed browser-side injection issue affecting authenticated users. Priority should be higher for internet-facing or multi-user ZoneMinder deployments.

Recommended defensive actions

Upgrade or otherwise remediate ZoneMinder instances running v1.29 or v1.30 before relying on them for production use.
Review and harden any authentication-dependent workflows in ZoneMinder that render request parameters into HTML.
Apply server-side output encoding and input handling controls consistent with preventing reflected XSS.
Limit exposure of the ZoneMinder web interface to trusted networks and authenticated administrative users where possible.
Monitor and test for unsafe reflection in /zm/index.php and related request-handling paths during validation and patch verification.

Evidence notes

All core claims are supported by the supplied CVE/NVD record: affected versions v1.29 and v1.30, the /zm/index.php location, reflected XSS behavior, CWE-79 mapping, and the CVSS 3.0 vector. Timing context comes from the CVE publishedAt value of 2017-02-06T17:59:00.500Z and modifiedAt of 2026-05-13T00:24:29.033Z. Reference links in the source metadata point to the CVE record, NVD detail page, and related advisory/index references.

Official resources

CVE-2017-5367 CVE record
CVE.org
CVE-2017-5367 NVD detail
NVD
Source item URL
nvd_modified
Mitigation or vendor reference
[email protected] - Exploit, Third Party Advisory, VDB Entry
Mitigation or vendor reference
[email protected] - Exploit, Third Party Advisory, VDB Entry
Source reference
[email protected]

Publicly disclosed on 2017-02-06 per the supplied CVE published date. The NVD record was last modified on 2026-05-13. No KEV listing is included in the supplied data.