Alpine: multiple zoneminder packages: security update to 1.30.2-r1

high Tenable Self-Hosted Container Security Plugin ID 407978

Description

There are packages installed that are affected by multiple vulnerabilities referenced in the following CVEs:

- Multiple reflected XSS vulnerabilities exist within form and link input parameters of ZoneMinder v1.30 and
v1.29, an open-source CCTV server web application, which allows a remote attacker to execute malicious
scripts within an authenticated client's browser. The URL is /zm/index.php and sample parameters could
include action=login&view=postlogin[XSS] view=console[XSS] view=groups[XSS]
view=events&filter[terms][1][cnj]=and[XSS] view=events&filter%5Bterms%5D%5B1%5D%5Bcnj%5D=and[XSS]
view=events&filter%5Bterms%5D%5B1%5D%5Bcnj%5D=[XSS]and view=events&limit=1%22%3E%3C/a%3E[XSS] (among
others). (CVE-2017-5367)

- ZoneMinder v1.30 and v1.29, an open-source CCTV server web application, is vulnerable to CSRF (Cross Site
Request Forgery) which allows a remote attack to make changes to the web application as the current logged
in victim. If the victim visits a malicious web page, the attacker can silently and automatically create a
new admin user within the web application for remote persistence and further attacks. The URL is
/zm/index.php and sample parameters could include action=user uid=0 newUser[Username]=attacker1
newUser[Password]=Password1234 conf_password=Password1234 newUser[System]=Edit (among others).
(CVE-2017-5368)

See Also

https://security.alpinelinux.org/vuln/CVE-2017-5367

https://security.alpinelinux.org/vuln/CVE-2017-5368

Plugin Details

Severity: High

ID: 407978

Version: Revision 1.25

Type: Local

Published: 10/31/2023

Updated: 7/2/2026

Supported Sensors: Agentless Assessment, Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 4.9

Percentile: 57.12

CVSS v2

Risk Factor: Medium

Base Score: 6.8

Temporal Score: 5.3

Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P

CVSS Score Source: CVE-2017-5368

CVSS v3

Risk Factor: High

Base Score: 8.8

Temporal Score: 7.9

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Vulnerability Publication Date: 2/5/2017

Reference Information

CVE: CVE-2017-5367, CVE-2017-5368

BID: 96120, 96126