CVE-2022-34912: 
NixOS vulnerability analysis and mitigation

A cross-site scripting (XSS) vulnerability was discovered in MediaWiki before versions 1.37.3 and 1.38.x before 1.38.1. The vulnerability, identified as CVE-2022-34912, was discovered on July 2, 2022, and affects the contributions-title feature used on Special:Contributions page. The issue occurs when the contributions-title is used as a page title without proper escaping, particularly in non-default configurations where usernames contain HTML entities (CVE Mitre, NVD).

The vulnerability stems from insufficient escaping of input text in the contributions-title message on the Special:Contributions page. In configurations where usernames contain HTML entities, the content is not properly escaped when used as a page title. This implementation flaw could potentially allow malicious users to perform cross-site scripting attacks (Debian Security, Wikimedia Phabricator).

The impact of this vulnerability is considered low risk, as it requires a non-default configuration where usernames contain HTML entities. If exploited, it could potentially lead to cross-site scripting attacks, allowing attackers to execute malicious scripts in the context of other users' browsers (Debian LTS).

The vulnerability has been fixed in MediaWiki versions 1.37.3 and 1.38.1 and later. Users are advised to upgrade to these or newer versions. The fix involves properly escaping the contributions-title message when used within page titles. Various Linux distributions have also released security updates to address this vulnerability, including Debian, Fedora, and Gentoo (Debian Security, Gentoo Security).