CVE-2023-37255: 
NixOS vulnerability analysis and mitigation

A cross-site scripting (XSS) vulnerability was discovered in the CheckUser extension for MediaWiki through version 1.39.3. The vulnerability exists in Special:CheckUser when performing a 'get edits' type check, where HTML injection is possible through the User-Agent HTTP request header (NVD, Wikimedia).

The vulnerability occurs in the 'get edits' check type functionality where user agent strings are not properly escaped before being displayed. The issue was introduced when the code changed from using htmlspecialchars() to handle user agent strings. The CVSS v3.1 base score is 6.1 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N (NVD).

An attacker could exploit this vulnerability by modifying their user agent string to include malicious HTML/JavaScript code. When a CheckUser performs a 'get edits' type check on actions performed with this modified user agent, the injected code would be executed in the CheckUser's browser context. The user agent is truncated to 255 bytes in the database which may limit the exploitation potential (Wikimedia).

The vulnerability was fixed by properly escaping the user agent string before display. The fix was deployed to Wikimedia production systems and backported to MediaWiki versions 1.39 and 1.40. Earlier versions (1.38 and before) are not affected by this vulnerability as they used proper escaping. Users should upgrade to patched versions of the CheckUser extension (Wikimedia).