CVE-2021-45474: 
NixOS vulnerability analysis and mitigation

A cross-site scripting (XSS) vulnerability was discovered in MediaWiki through version 1.37, identified as CVE-2021-45474. The vulnerability exists in the Special:ImportFile URI (also known as FileImporter) functionality, where an attacker could exploit the clientUrl parameter to execute malicious scripts. This vulnerability was disclosed on December 23, 2021 (NVD).

The vulnerability has been assigned a CVSS v3.1 base score of 6.1 (MEDIUM) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N. The CVSS v2.0 score is 4.3 (MEDIUM) with vector (AV:N/AC:M/Au:N/C:N/I:P/A:N). The vulnerability is classified as CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (NVD).

The vulnerability allows attackers to execute arbitrary JavaScript code in the context of other users' browsers when they visit specially crafted URLs. This could lead to theft of sensitive information, session hijacking, or other malicious actions performed in the context of the affected user's session (NVD).

The vulnerability was addressed in MediaWiki version 1.36.3. Users are advised to upgrade to this version or later to protect against this vulnerability. Fedora released an update (mediawiki-1.36.3-1.fc35) to address this issue (Fedora Update).