CVE-2022-34911: 
NixOS vulnerability analysis and mitigation

An XSS vulnerability (CVE-2022-34911) was discovered in MediaWiki versions before 1.35.7, 1.36.x and 1.37.x before 1.37.3, and 1.38.x before 1.38.1. The vulnerability occurs in configurations that allow JavaScript payload in usernames, where after account creation, the username is not properly escaped when setting the page title to "Welcome" followed by the username (CVE Mitre, Debian Tracker).

The vulnerability exists in the SpecialCreateAccount::successfulAction() function which calls ::showSuccessPage() with a message as second parameter, and OutputPage::setPageTitle() uses text() without proper escaping. The issue arises from oddities in the way Sanitizer::removeSomeTags and Sanitizer::stripAllTags can interfere with each other, potentially allowing lower-level obfuscations and CSS hacks (Wikimedia Phabricator).

While the vulnerability requires specific configuration settings that allow JavaScript in usernames (not allowed by default), successful exploitation could lead to Cross-Site Scripting (XSS) attacks. The impact is considered low-risk as it primarily allows lower-level obfuscations and minor CSS hacks, such as using span tags with display:none (Wikimedia Phabricator).

The vulnerability has been patched in MediaWiki versions 1.35.7, 1.37.3, and 1.38.1. Users are advised to upgrade to these or later versions. The fix involves properly escaping the username in the welcomeuser message passed to showSuccessPage() (Debian Security).