CVE-2021-38144: 
NixOS vulnerability analysis and mitigation

A reflected Cross-Site Scripting (XSS) vulnerability was discovered in Form Tools through version 3.0.20. The vulnerability, identified as CVE-2021-38144, allows a low-privileged user to trigger XSS when viewing a form via the submission_id parameter in the path clients/forms/edit_submission.php?form_id=1&view_id=1&submission_id=[XSS] (NVD).

The vulnerability has been assigned a CVSS v3.1 base score of 5.4 (MEDIUM) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N. The vulnerability is classified as CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'). The issue affects Form Tools Core versions up to and including 3.0.20 (NVD).

When successfully exploited, this vulnerability allows an attacker with low privileges to execute malicious scripts in the context of other users' browsers who view the affected form submissions. This could lead to theft of sensitive information, session hijacking, or other client-side attacks (NVD).

Users should upgrade Form Tools to a version newer than 3.0.20 to address this vulnerability. The fix is available through the official Form Tools repository (Form Tools Core).