CVE-2023-37360: 
NixOS vulnerability analysis and mitigation

pacparserfindproxy in Pacparser before 1.4.2 contains a JavaScript injection vulnerability that allows attackers to execute arbitrary JavaScript code when they control the URL parameter. This vulnerability was discovered on June 30, 2023, and could potentially lead to privilege escalation, particularly concerning when the software is integrated into enterprise security products running with elevated privileges (GitHub Advisory, NVD).

The vulnerability exists in the pacparserfindproxy() function which processes URLs and hosts for PAC (Proxy Auto-Configuration) script evaluation. The function attempts to sanitize single quotes by URL-encoding them but fails to account for backslashes that can escape the single quotes in the resulting script. This oversight creates injection points in the script execution context, allowing arbitrary JavaScript code execution within pacparser's SpiderMonkey environment (GitHub Advisory). The vulnerability has been assigned a CVSS v3.1 Base Score of 6.1 MEDIUM (Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) (NVD).

The vulnerability can lead to arbitrary JavaScript code execution within the context of pacparser's 16-year-old version of SpiderMonkey. When pacparser is integrated into security solutions running with root privileges, this vulnerability could be leveraged for local privilege escalation by chaining it with vulnerabilities in SpiderMonkey (GitHub Advisory).

The vulnerability has been patched in Pacparser version 1.4.2. Users are advised to upgrade to this version or later to mitigate the risk (GitHub Advisory).