CVE-2023-37254: 
NixOS vulnerability analysis and mitigation

A cross-site scripting (XSS) vulnerability was discovered in the Cargo extension for MediaWiki through version 1.39.3. The vulnerability was assigned identifier CVE-2023-37254 and was disclosed on June 29, 2023. The vulnerability specifically affects the Special:CargoQuery functionality when using the default format (NVD).

The vulnerability allows XSS to occur in Special:CargoQuery via a crafted page item when using the default format. The vulnerability has been assigned a CVSS v3.1 Base Score of 6.1 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N. This indicates that the vulnerability is network exploitable, requires low attack complexity, needs no privileges, requires user interaction, has changed scope, and can impact confidentiality and integrity but not availability (NVD).

The vulnerability can lead to unauthorized execution of malicious JavaScript code in the context of other users' browsers when they view specially crafted content on the Special:CargoQuery page. This could potentially lead to theft of sensitive information or manipulation of page content (NVD).

Users should upgrade to a version of MediaWiki newer than 1.39.3 which contains patches for this vulnerability. No specific workarounds have been publicly documented for users who cannot immediately upgrade (NVD).