CVE-2023-26036: 
NixOS vulnerability analysis and mitigation

ZoneMinder, a free and open-source Closed-circuit television software application for Linux, was found to contain a Local File Inclusion vulnerability (CVE-2023-26036) affecting all installations prior to versions 1.36.33 and 1.37.33. The vulnerability was discovered and disclosed on February 24, 2023, with a CVSS score of 8.1, indicating high severity (GitHub Advisory, SecurityOnline).

The vulnerability exists in the /web/index.php file where improper path sanitization allows for Local File Inclusion. The issue stems from an insufficient implementation of the detaintPath function in /web/includes/functions.php, which attempts to prevent directory traversal by replacing '../' with an empty string only once. This implementation can be bypassed by constructing paths like '..././', which gets converted to '../', potentially allowing access to arbitrary PHP files on the system (GitHub Advisory).

The vulnerability allows attackers to execute arbitrary PHP files on the affected system through Local File Inclusion, potentially leading to unauthorized access to system files and compromised data confidentiality and integrity (GitHub Advisory).

The vulnerability was fixed in ZoneMinder versions 1.36.33 and 1.37.33 through commit 3268f95. Users are advised to either upgrade to these versions or later, or apply the patch manually. The fix properly implements path sanitization to prevent directory traversal attacks (GitHub Advisory).