CVE-2023-22911: 
NixOS vulnerability analysis and mitigation

An issue was discovered in MediaWiki before 1.35.9, 1.36.x through 1.38.x before 1.38.5, and 1.39.x before 1.39.1. E-Widgets does widget replacement in HTML attributes, which can lead to XSS (Cross-Site Scripting), because widget authors often do not expect that their widget is executed in an HTML attribute context (CVE Details).

The vulnerability affects multiple versions of MediaWiki including versions before 1.35.9, versions 1.36.x through 1.38.x before 1.38.5, and versions 1.39.x before 1.39.1. The core issue lies in the E-Widgets functionality where widget replacement occurs in HTML attributes. The security flaw arises because widget authors typically don't anticipate their widgets being executed within an HTML attribute context, leading to potential XSS vulnerabilities (Red Hat CVE).

The vulnerability allows for Cross-Site Scripting (XSS) attacks through widget placement in HTML attributes. This could potentially allow attackers to execute malicious scripts in the context of other users' browsers, potentially leading to session hijacking, defacement of the wiki site, or theft of sensitive information (Fedora Update).

The vulnerability has been patched in MediaWiki versions 1.35.9, 1.38.5, and 1.39.1. Users are strongly advised to upgrade to these or later versions to protect against this security issue. The fix addresses the widget replacement mechanism in HTML attributes to prevent XSS attacks (Fedora Update).