CVE-2021-32719: 
NixOS vulnerability analysis and mitigation

RabbitMQ, a multi-protocol messaging broker, was found to contain a cross-site scripting (XSS) vulnerability in versions prior to 3.8.18. The vulnerability (CVE-2021-32719) was discovered by Fahimhusain Raydurg and affected the federation management plugin. When a federation link was displayed in the RabbitMQ management UI, its consumer tag was rendered without proper tag sanitization (GitHub Advisory).

The vulnerability is classified as a CWE-80 (Improper Neutralization of Script-Related HTML Tags in a Web Page) issue. It received a CVSS v3.1 base score of 3.1 (LOW) with the vector string CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:N. The vulnerability specifically affects the consumer tag rendering in the federation management plugin's user interface (GitHub Advisory).

The vulnerability could potentially allow for JavaScript code execution in the context of the page. However, the impact is limited as the user must be signed in and have elevated permissions (manage federation upstreams and policies) for the exploit to be successful (GitHub Advisory).

The vulnerability was patched in RabbitMQ version 3.8.18. As a workaround for affected versions, users can disable the rabbitmq_federation_management plugin and use CLI tools instead. The fix was implemented through proper escaping of the consumer-tag value in the federation management interface (GitHub Advisory, RabbitMQ PR).