CVE-2023-36473: 
NixOS vulnerability analysis and mitigation

Discourse, an open source discussion platform, was found to contain a CSP (Content Security Policy) nonce reuse vulnerability (CVE-2023-36473). The vulnerability was discovered in July 2023 and could potentially allow XSS attacks to bypass CSP protection. The issue affected versions up to and including 3.0.4 (stable branch), 3.1.0.beta5 (beta branch), and 3.1.0.beta5 (tests-passed branch) (GitHub Advisory, NVD).

The vulnerability stems from a CSP nonce reuse issue that could enable cross-site scripting (XSS) attacks to completely bypass the Content Security Policy protection. While there were no known XSS vectors at the time of disclosure, the vulnerability received a CVSS v3.1 base score of 6.1 (Medium) from NVD and 6.8 (Medium) from GitHub, with the vector string CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N (NVD).

If exploited, this vulnerability could allow attackers to completely bypass CSP protection, potentially leading to successful cross-site scripting attacks. The impact is particularly significant as it affects the security mechanism designed to prevent XSS attacks, though the actual exploitation would require finding a viable XSS vector (GitHub Advisory).

The vulnerability has been patched in versions 3.0.5 (stable branch), 3.1.0.beta6 (beta branch), and 3.1.0.beta6 (tests-passed branch). As a temporary workaround, users can disable Google Tag Manager by unsetting the 'gtm container id' setting (GitHub Advisory).