CVE-2022-46148: 
NixOS vulnerability analysis and mitigation

Discourse, an open-source messaging platform, was found to contain a self-XSS vulnerability (CVE-2022-46148) affecting versions 2.8.10 and prior on the 'stable' branch and versions 2.9.0.beta11 and prior on the 'beta' and 'tests-passed' branches. The vulnerability was discovered and disclosed on November 29, 2022 (GitHub Advisory).

The vulnerability allows users to perform self-XSS attacks by composing malicious messages and navigating to the drafts page. The severity of this vulnerability is rated as HIGH with a CVSS v3.1 base score of 7.1 (Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H). This vulnerability can escalate to a full XSS attack on sites that have modified or disabled Discourse's default Content Security Policy (GitHub Advisory, NVD).

The vulnerability can lead to a full Cross-Site Scripting (XSS) attack on sites where the default Content Security Policy has been modified or disabled. This could potentially result in unauthorized access to sensitive information, session hijacking, or other malicious actions typically associated with XSS attacks (GitHub Advisory).

The vulnerability has been patched in the latest stable, beta, and tests-passed versions of Discourse. Users are advised to upgrade to versions newer than 2.8.10 for the stable branch or versions newer than 2.9.0.beta11 for the beta and tests-passed branches. Additionally, maintaining the default Content Security Policy helps mitigate the risk of full XSS attacks (GitHub Advisory).