CVE-2021-42085: 
NixOS vulnerability analysis and mitigation

An issue was discovered in Zammad before version 4.1.1 that allows stored Cross-Site Scripting (XSS) via a custom Avatar. The vulnerability was identified on October 5, 2021, affecting Zammad versions 1.0.x up to 4.1.0. This security flaw enables users to upload custom avatars containing malicious JavaScript code that could bypass the Content-Security-Policy (Zammad Advisory).

The vulnerability is classified as a stored XSS issue (CWE-79: Improper Neutralization of Input During Web Page Generation) with a CVSS v3.1 base score of 5.4 (MEDIUM). The attack vector is network-based, requiring low attack complexity and low privileges, with user interaction required. The scope is changed, and both confidentiality and integrity impacts are low, while availability impact is none (NVD).

The vulnerability allows attackers to upload malicious avatar images containing JavaScript code that bypasses the Content-Security-Policy. When successful, this could lead to the execution of unauthorized JavaScript code in users' browsers who view the malicious avatar (Zammad Advisory).

The vulnerability has been fixed in Zammad versions 4.1.1 and 5.0.0. Users are recommended to upgrade to one of these versions. Updates can be obtained through the official Zammad website, FTP server, or via OS package managers (Zammad Advisory).