CVE-2021-45472: 
NixOS vulnerability analysis and mitigation

CVE-2021-45472 is a cross-site scripting (XSS) vulnerability affecting MediaWiki through version 1.37. The vulnerability exists in Wikibase because an external identifier property can have a URL format that includes a $1 formatter substitution marker, and the javascript: URL scheme (among others) can be used (NVD, CVE).

The vulnerability has been assigned a CVSS v3.1 base score of 6.1 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N. This indicates that the vulnerability is network-accessible, requires low attack complexity, needs no privileges, but does require user interaction. The scope is changed, with low impact on both confidentiality and integrity, and no impact on availability (NVD).

The vulnerability allows attackers to execute cross-site scripting attacks through the Wikibase component, potentially leading to unauthorized access to sensitive information and manipulation of web content. The attack can affect both confidentiality and integrity of the system, though it requires user interaction to be successful (NVD).

The vulnerability has been addressed in MediaWiki version 1.36.3. Users are advised to upgrade to this version or later to mitigate the risk. The fix was included in Fedora's security update package mediawiki-1.36.3-1.fc35 (Fedora Update).