CVE-2023-3550: 
NixOS vulnerability analysis and mitigation

MediaWiki version 1.40.0 contains a stored cross-site scripting (XSS) vulnerability identified as CVE-2023-3550. The vulnerability was discovered on July 7, 2023, and publicly disclosed on October 11, 2023. The issue affects MediaWiki installations where XML file uploads are enabled, allowing a remote attacker with a low-privileged user account to potentially escalate their privileges to administrator level (Fluid Attacks).

The vulnerability stems from MediaWiki's failure to validate namespaces used in XML files. When XML file uploads are enabled, an attacker can bypass script detection security controls by using specific namespaces in the XML file. The vulnerability has received a CVSS v3.1 base score of 9.0 (Critical) from NVD and 7.3 (High) from Fluid Attacks, with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H (NVD).

The successful exploitation of this vulnerability allows an attacker to perform a stored XSS attack that can lead to privilege escalation. Specifically, a low-privileged user can escalate their privileges to administrator level by sending a malicious link to the instance administrator. This can result in complete compromise of the affected MediaWiki installation's security model (Fluid Attacks).

Multiple Linux distributions have released security updates to address this vulnerability. Debian has fixed the issue in version 1:1.35.13-1~deb11u1 for bullseye and version 1:1.39.5-1~deb12u1 for bookworm. It's recommended to upgrade MediaWiki installations to the latest patched version (Debian Security).