CVE-2024-43358: 
NixOS vulnerability analysis and mitigation

ZoneMinder, a free and open-source closed-circuit television software application, was found to contain a cross-site scripting (XSS) vulnerability in the filter view via the filter[Id] parameter. The vulnerability was discovered and disclosed on August 12, 2024, affecting versions up to 1.36.33 and 1.37.60. This security issue has been addressed and fixed in versions 1.36.34 and 1.37.61 (GitHub Advisory).

The vulnerability exists due to insufficient sanitization of the filter[Id] parameter in the filter view functionality. The issue allows for cross-site scripting attacks through malicious input in the filter[Id] field. The vulnerability has been assigned a CVSS v3.1 base score of 6.1 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N, indicating that it requires user interaction and can potentially lead to limited confidentiality and integrity impacts (NVD).

The vulnerability could allow attackers to execute arbitrary HTML or JavaScript code in the context of the user's browser session. This could potentially lead to theft of sensitive information, session hijacking, or other malicious actions performed in the context of the affected user's session (GitHub Advisory).

The recommended mitigation is to upgrade to ZoneMinder version 1.36.34 or 1.37.61, which contain the security fix. For users unable to upgrade immediately, they can manually apply the patch referenced in commit 062cf56, which implements proper sanitization of the filter[Id] parameter (GitHub Advisory).