CVE-2021-42042: 
NixOS vulnerability analysis and mitigation

An issue was discovered in SpecialEditGrowthConfig in the GrowthExperiments extension in MediaWiki through 1.36.2. The vulnerability (CVE-2021-42042) involves a permanent cross-site scripting (XSS) vulnerability that could be exploited by wiki administrators. The issue was discovered on September 9, 2021, and was fixed in version 1.37 (Phabricator).

The vulnerability exists in the handling of the 'growthexperiments-edit-config-error-invalid-title' message in Special:EditGrowthConfig. A wiki administrator could exploit this by changing the content model of MediaWiki:NewcomerTasks.json, which would cause the form to include the message content as raw HTML without proper escaping (Phabricator). The vulnerability was rated as Low severity by the security team.

The vulnerability allows wiki administrators to inject and execute arbitrary HTML and JavaScript code in the context of Special:EditGrowthConfig. While the impact is limited since it requires administrator privileges to exploit, it could potentially affect other users viewing the affected pages (Phabricator).

The vulnerability was patched in MediaWiki version 1.37. The fix involves proper escaping of the error message content before displaying it in the interface. The patch was also backported to supported versions. Users are advised to upgrade to a patched version of the software (Phabricator).