CVE-2023-36675: 
NixOS vulnerability analysis and mitigation

CVE-2023-36675 is a cross-site scripting (XSS) vulnerability discovered in MediaWiki affecting versions before 1.35.11, 1.36.x through 1.38.x before 1.38.7, and 1.39.x before 1.39.4. The vulnerability exists in BlockLogFormatter.php within the BlockLogFormatter component, specifically in the partial blocks feature (NVD, Debian Security).

The vulnerability stems from unsafe message use in BlockLogFormatter.php, particularly in the code handling partial blocks. The issue involves unsafe use of rawParams because $actions is built with Message::text() and unsafe use of rawParam because $restrictions is built with Message::text(). The vulnerability has been assigned a CVSS v3.1 Base Score of 6.1 (MEDIUM) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N (NVD, Wikimedia Phabricator).

The vulnerability allows attackers to execute cross-site scripting attacks through the partial blocks feature. This could potentially lead to unauthorized access to sensitive information or manipulation of user interface elements when users view affected pages (NVD).

The vulnerability has been fixed in MediaWiki versions 1.35.11, 1.38.7, 1.39.4, and later releases. Users are advised to upgrade to these or newer versions. For Debian users, fixed packages have been released for bullseye (1:1.35.13-1+deb11u3) and bookworm (1:1.39.10-1~deb12u1) distributions (Debian Security).