CVE-2021-45473: 
NixOS vulnerability analysis and mitigation

In MediaWiki through 1.37, Wikibase item descriptions allow XSS (Cross-Site Scripting), which is triggered upon a visit to an action=info URL (aka a page-information sidebar). This vulnerability was discovered in December 2021 and assigned CVE-2021-45473. The vulnerability affects MediaWiki versions up to and including 1.37 (NVD, CVE).

The vulnerability exists in the Wikibase component of MediaWiki where item descriptions are not properly escaped before being displayed in the page information sidebar. The issue received a CVSS v3.1 Base Score of 6.1 MEDIUM (Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) and a CVSS v2.0 Base Score of 4.3 MEDIUM (Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N) (NVD).

The vulnerability allows attackers to execute cross-site scripting attacks when users visit the page information section of affected pages. This could potentially lead to unauthorized access to user data and session information within the context of the MediaWiki installation (NVD).

The vulnerability was fixed in MediaWiki versions 1.35.5, 1.36.3, and 1.37.1. The fix involves properly escaping description content before outputting it in the action=info page. Users are advised to upgrade to these patched versions or later releases (Fedora).