CVE-2022-4455: 
NixOS vulnerability analysis and mitigation

A cross-site scripting (XSS) vulnerability was discovered in sproctor php-calendar affecting the index.php file. The vulnerability was identified by the CVE identifier CVE-2022-4455 and involves the manipulation of the $SERVER['PHPSELF'] argument. The issue was fixed through a patch (commit a2941109b42201c19733127ced763e270a357809) that improved input sanitization (Github Patch).

The vulnerability exists due to improper neutralization of input during web page generation in the index.php file. The issue specifically relates to the handling of $SERVER['PHPSELF'] variable, which was initially using htmlentities() for sanitization. The fix involved changing to htmlspecialchars() with additional parameters (ENT_QUOTES, 'UTF-8') to provide better protection against XSS attacks. The vulnerability has been assigned a CVSS v3.1 base score of 6.1 (MEDIUM) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N (NVD).

If exploited, this vulnerability could allow remote attackers to execute cross-site scripting attacks against users of the php-calendar application. The impact is considered moderate as it requires user interaction and can lead to limited disclosure and modification of data.

The vulnerability has been patched in the php-calendar repository. The fix involves replacing the htmlentities() function with htmlspecialchars() using proper encoding parameters (ENTQUOTES, 'UTF-8') for the $SERVER['PHP_SELF'] variable. Users should update their installations to include the security fix from commit a2941109b42201c19733127ced763e270a357809 (Github Patch).