CVE-2023-25825: 
NixOS vulnerability analysis and mitigation

ZoneMinder, a free and open-source Closed-circuit television software application for Linux supporting IP, USB, and Analog cameras, was found to be vulnerable to Cross-site Scripting (XSS) in versions prior to 1.36.33. The vulnerability was discovered and disclosed in February 2023, affecting all ZoneMinder installations below version 1.36.33 (GitHub Advisory, CVE Mitre).

The vulnerability (CVE-2023-25825) allows malicious actors to inject log entries into the database logs containing a malicious referrer field, which remains unescaped when viewing the logs in the web UI. The vulnerability received a CVSS v3.1 score of 7.7 (High severity), with attack vector being Network-based, low attack complexity, and requiring low privileges (Security Online, GitHub Advisory).

When exploited, the vulnerability could lead to Cross-site Scripting attacks, potentially allowing attackers to execute arbitrary JavaScript code in the context of other users' browsers when they view the logs in the web interface (GitHub Advisory).

The vulnerability was patched in ZoneMinder version 1.36.33. The fix was implemented through multiple commits that address the escaping of HTML content in log messages and correct the Content Security Policy (CSP) syntax. Users are advised to upgrade to version 1.36.33 or later to mitigate this vulnerability (GitHub Commits).