CVE-2021-30157: 
NixOS vulnerability analysis and mitigation

CVE-2021-30157 is a cross-site scripting (XSS) vulnerability discovered in MediaWiki versions before 1.31.12 and 1.32.x through 1.35.x before 1.35.2. The vulnerability was disclosed in April 2021 and affects the ChangesList special pages, specifically Special:RecentChanges and Special:Watchlist, where certain rcfilters-filter-* label messages are output without proper HTML escaping (NVD, CVE).

The vulnerability is classified as a Cross-Site Scripting (CWE-79) issue with a CVSS v3.1 Base Score of 6.1 (Medium), with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N. The vulnerability stems from improper neutralization of input during web page generation, specifically in the handling of rcfilters-filter-* label messages on special pages (NVD).

The vulnerability allows attackers to execute cross-site scripting attacks through unescaped HTML output on ChangesList special pages. This could potentially lead to unauthorized access to sensitive information and manipulation of web content (NVD).

The vulnerability has been fixed in MediaWiki versions 1.31.12 and 1.35.2. Users are advised to upgrade to these or later versions. Multiple Linux distributions have released security updates, including Debian (version 1:1.31.14-1~deb10u1), Fedora, and Gentoo (version 1.36.1) (Debian Security, Gentoo Security).