CVE-2020-36634: 
NixOS vulnerability analysis and mitigation

A vulnerability classified as problematic was found in Indeed Engineering util up to 1.0.33. The vulnerability affects the function visit/appendTo of the file varexport/src/main/java/com/indeed/util/varexport/servlet/ViewExportedVariablesServlet.java. The issue was discovered on December 27, 2022 and involves improper handling of n-gram indexes that could lead to cross-site scripting (XSS) vulnerabilities (NVD).

The vulnerability stems from unescaped characters in the rendered n-gram indexes JSON in the varexport servlet component. The affected code is responsible for building alphanumeric n-gram indexes for variable names. The issue was fixed by explicitly building alphanumeric n-gram indexes and adding proper character escaping (Github Commit).

The vulnerability could allow attackers to execute cross-site scripting (XSS) attacks by injecting malicious scripts through unescaped characters in the n-gram indexes. This could potentially lead to unauthorized access to sensitive data or execution of arbitrary code in the context of the affected application (NVD).

The issue has been patched in version 1.0.34 of the Indeed Engineering util library. The fix involves explicitly building alphanumeric n-gram indexes and implementing proper character escaping. Users are advised to upgrade to version 1.0.34 or later (Github Release).