CVE-2023-33789: 
NixOS vulnerability analysis and mitigation

A stored cross-site scripting (XSS) vulnerability was discovered in Netbox version 3.5.1, specifically in the Create Contact Groups (/tenancy/contact-groups/) function. The vulnerability was assigned CVE-2023-33789 and was disclosed on May 24, 2023. The vulnerability affects the Name field within the contact groups creation functionality of Netbox (NVD, GitHub Issue).

The vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Name field of the contact groups creation form. The CVSS v3.1 base score for this vulnerability is 5.4 (Medium), with the following vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N. This indicates that the vulnerability requires network access, low attack complexity, low privileges, and user interaction, with limited impact on confidentiality and integrity (NVD).

The vulnerability allows attackers to execute arbitrary scripts in victims' browsers, potentially leading to full compromise of the user's session. When successfully exploited, the attacker can control scripts executed in the victim's browser, enabling them to perform actions on behalf of the compromised user (GitHub Issue).

Users should upgrade to a patched version of Netbox. The vulnerability has been identified and reported, though specific patch information is not explicitly mentioned in the available sources (NVD).