CVE-2021-37463: 
NixOS vulnerability analysis and mitigation

In NCH Quorum v2.03 and earlier, multiple Cross-Site Scripting (XSS) vulnerabilities exist that allow authenticated users to inject malicious JavaScript code. The vulnerabilities include both stored XSS via User Display Name and Conference Description fields, as well as reflected XSS through various parameters including /uploaddoc?id=, /conference?id=, and /conferencebrowseuploadfile?confid= (GitHub POC, NCH Product).

The vulnerabilities stem from insufficient input validation in multiple fields and parameters. While basic script tag filtering is implemented, it can be bypassed using more diverse XSS payloads. The vulnerability has been assigned a CVSS v3.1 base score of 5.4 (Medium) with vector CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N, and a CVSS v2.0 score of 3.5 (Low) (NVD).

Successful exploitation of these XSS vulnerabilities could allow attackers to execute arbitrary JavaScript code in the context of other users' browsers. This could lead to session hijacking, theft of sensitive information, or other malicious actions performed in the context of the victim's session (GitHub POC).

Users should upgrade to versions newer than 2.03 if available. As this is reported to be a legacy program no longer supported by NCH Software, organizations should consider migrating to alternative conference solutions with active security maintenance (NCH Product).