CVE-2021-46888: 
NixOS vulnerability analysis and mitigation

A Stored Cross-Site Scripting (XSS) vulnerability was discovered in hledger before version 1.23. The vulnerability exists in toBloodhoundJson function that allows an attacker to execute JavaScript by encoding user-controlled values in a payload with base64 and parsing them with the atob function. The vulnerability was first introduced when autocompletion was added in hledger-web (version 0.24) (GitHub Issue).

The vulnerability occurs in hledger-web's toBloodhoundJson function where user input was not properly sanitized. An attacker could insert HTML tags to escape from a script context, allowing the parser to be reset and enabling arbitrary JavaScript execution. The protections provided by yesod and other libraries worked correctly, but the vulnerability existed in code that hledger-web was generating. The issue has been assigned a CVSS v3.1 Base Score of 5.4 (Medium) with vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N (NVD).

The vulnerability affects any autocomplete-able field in hledger-web. When exploited, malicious JavaScript code could be automatically executed by subsequent visitors viewing the journal. This particularly impacts anonymously-writable instances of hledger-web, potentially allowing attackers to inject malicious scripts that would be executed by other users (GitHub PR).

The vulnerability was fixed in hledger version 1.23 by implementing base64 encoding for user-controlled values in the payload. A more comprehensive solution would involve implementing Content-Security-Policy headers with sha256 hashing for script sources. Users are advised to upgrade to version 1.23 or later. For instances that cannot be immediately upgraded, it is recommended to disable anonymous writing access (GitHub PR).