CVE-2021-42044: 
NixOS vulnerability analysis and mitigation

An issue was discovered in the Mentor dashboard in the GrowthExperiments extension in MediaWiki through 1.36.2. Multiple MediaWiki messages were not being properly sanitized, which allowed for the injection and execution of HTML and JavaScript. The affected messages include growthexperiments-mentor-dashboard-mentee-overview-add-filter-total-edits-headline, growthexperiments-mentor-dashboard-mentee-overview-add-filter-starred-headline, growthexperiments-mentor-dashboard-mentee-overview-info-text, growthexperiments-mentor-dashboard-mentee-overview-info-legend-headline, and growthexperiments-mentor-dashboard-mentee-overview-active-ago. This vulnerability was disclosed on October 6, 2021 (NVD).

The vulnerability is classified as a Cross-Site Scripting (XSS) issue with a CVSS v3.1 score of 4.8 MEDIUM and CVSS v2.0 score of 3.5 LOW. The vulnerability stems from improper sanitization of MediaWiki messages in the Mentor dashboard, allowing attackers to inject and execute malicious HTML and JavaScript code (NVD).

The vulnerability allows attackers to inject and execute arbitrary HTML and JavaScript code through the affected MediaWiki messages in the Mentor dashboard. This could potentially lead to unauthorized access to user data, session hijacking, or other malicious actions within the context of the user's browser (NVD).

The vulnerability was addressed in versions after MediaWiki 1.36.2. Users are advised to upgrade to a patched version of the GrowthExperiments extension to prevent potential exploitation (NVD).