CVE-2023-30538: 
NixOS vulnerability analysis and mitigation

Discourse, an open source platform for community discussion, was found to contain a vulnerability (CVE-2023-30538) related to improper SVG file sanitization. The vulnerability was disclosed on April 18, 2023, affecting Discourse versions stable <= 3.0.2, beta <= 3.1.0.beta3, and tests-passed <= 3.1.0.beta3 (GitHub Advisory, NVD).

The vulnerability stems from improper sanitization of SVG files, which could allow an attacker to execute arbitrary JavaScript code in users' browsers through crafted SVG file uploads. The vulnerability has been assigned a CVSS v3.1 base score of 5.4 MEDIUM (Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N) (NVD).

If exploited, this vulnerability allows attackers to execute arbitrary JavaScript code in users' browsers who view the maliciously crafted SVG file, potentially leading to cross-site scripting (XSS) attacks (GitHub Advisory).

The vulnerability has been patched in versions after 3.0.2 (stable) and 3.1.0.beta3 (beta/tests-passed). For users unable to upgrade, two workarounds are available: 1) Enable CDN handling of uploads (ensuring the CDN sanitizes SVG files), or 2) Disable SVG file uploads by removing 'svg' from the 'authorized extensions' site setting or reset it to default settings (GitHub Advisory).