CVE-2022-3138: 
NixOS vulnerability analysis and mitigation

Cross-site Scripting (XSS) vulnerability was identified in GitHub repository jgraph/drawio versions prior to 20.3.0. The vulnerability was discovered and disclosed in September 2022, affecting the drawio diagramming software. This security issue was assigned identifier CVE-2022-3138 (NVD, CVE).

The vulnerability was classified as a Generic Cross-site Scripting (XSS) issue, with a CVSS v3.1 Base Score of 6.1 (MEDIUM) according to NVD's assessment. The CVSS vector string is CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N, indicating that the vulnerability is network exploitable, requires low attack complexity, needs no privileges, but does require user interaction (NVD).

The vulnerability could potentially allow attackers to execute malicious scripts in the context of the affected application, leading to unauthorized access to sensitive information and potential manipulation of the application's behavior. The CVSS scoring indicates low impact on both confidentiality and integrity, with no impact on availability (NVD).

The vulnerability was patched in version 20.3.0 of drawio. The fix included security improvements such as limiting plugins to built-in or same domain and adding ALLOW_CUSTOM_PLUGINS for third-party plugins. Users are advised to upgrade to version 20.3.0 or later to mitigate this vulnerability (Github Commit).