CVE-2021-45086: 
NixOS vulnerability analysis and mitigation

A cross-site scripting (XSS) vulnerability was identified in GNOME Web (also known as Epiphany) affecting versions before 40.4 and 41.x before 41.1. The vulnerability was discovered in December 2021 and stems from the improper handling of the server's suggestedfilename when used as the pdfname value in PDF.js (NVD).

The vulnerability has been assigned a CVSS v3.1 base score of 6.1 (Medium severity) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N. The vulnerability is classified as CWE-79: Improper Neutralization of Input During Web Page Generation (Cross-site Scripting) (NVD).

The vulnerability could allow remote attackers to perform cross-site scripting (XSS) attacks when a user interacts with maliciously crafted content. This could potentially lead to unauthorized access to sensitive browser data or execution of arbitrary web scripts in the context of the affected browser (Debian Advisory).

The vulnerability has been fixed in version 3.38.2-1+deb11u1 for Debian's stable distribution (bullseye). Users are recommended to upgrade their epiphany-browser packages to the patched versions. For Ubuntu users, the fix is available in version 3.36.4-0ubuntu2 for Ubuntu 20.04 and version 42.1-1ubuntu1 for Ubuntu 22.04 (Debian Advisory, Ubuntu Notice).