From 191130dcf3c8bbce6d81bf22feff296108b62819 Mon Sep 17 00:00:00 2001
From: Isaac Connor <isaac@zoneminder.com>
Date: Fri, 6 Feb 2026 16:52:26 -0500
Subject: [PATCH] fix: validate eventId in getNearEvents() in ajax/status.php

Apply validCardinal() to $_REQUEST['id'], consistent with the
validation now used in getNearFrame() and getFrameImage().

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 web/ajax/status.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/web/ajax/status.php b/web/ajax/status.php
index 3465683a6..b30266aec 100644
--- a/web/ajax/status.php
+++ b/web/ajax/status.php
@@ -525,7 +525,7 @@ function getNearFrame() {
 function getNearEvents() {
   global $user, $sortColumn, $sortOrder;
 
-  $eventId = $_REQUEST['id'];
+  $eventId = validCardinal($_REQUEST['id']);
   $NearEvents = array('EventId'=>$eventId);
 
   $event = dbFetchOne('SELECT * FROM Events WHERE Id=?', NULL, array($eventId));