CVE-2023-3026: 
NixOS vulnerability analysis and mitigation

Cross-site Scripting (XSS) - Stored vulnerability was discovered in GitHub repository jgraph/drawio versions prior to 21.2.8. The vulnerability was assigned CVE-2023-3026 and was disclosed on May 31, 2023. The issue affects the diagrams/drawio software package (NVD).

The vulnerability has been assessed with a CVSS v3.1 Base Score of 6.1 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N. This indicates the vulnerability is network exploitable, requires low attack complexity, needs no privileges, requires user interaction, has changed scope, and can impact confidentiality and integrity but not availability. The vulnerability is categorized as CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (NVD).

The vulnerability allows an attacker to execute stored cross-site scripting attacks, potentially leading to the exposure of sensitive information and manipulation of web content. The CVSS scoring indicates that both confidentiality and integrity are impacted at a low level, while availability is not affected (NVD).

The vulnerability has been fixed in version 21.2.8 of drawio. Users are advised to upgrade to this version or later to mitigate the risk. The fix was implemented through a commit that addresses the sanitization of labels and filename validation (GitHub Patch).