CVE-2023-31493: 
NixOS vulnerability analysis and mitigation

A Remote Code Execution (RCE) vulnerability was discovered in ZoneMinder through version 1.36.33. The vulnerability (CVE-2023-31493) allows attackers to create a new .php log file in the language folder, execute crafted payloads, and escalate privileges to execute arbitrary commands on the remote system (NVD, MITRE).

The vulnerability exists in the logging functionality of ZoneMinder. An attacker can exploit this by manipulating the LOGDEBUGFILE field under Options -> Logging to write logs in the language folder (/usr/share/zoneminder/www/lang/). The attacker can then poison the log file with a crafted PHP payload and set it as a user's language file. When the affected user logs in, the malicious language file is loaded, executing the embedded payload (Medium Blog).

The vulnerability allows attackers to execute arbitrary commands on the remote system with the permissions of the web server user. This can lead to complete system compromise, unauthorized access to surveillance data, and potential lateral movement within the network (Medium Blog).

Users should upgrade to a version newer than 1.36.33. The vulnerability has been assigned a CVSS base score of 6.6 (Medium) by CISA-ADP with the vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L (NVD).