CVE-2023-45372: 
NixOS vulnerability analysis and mitigation

CVE-2023-45372 affects the Wikibase extension for MediaWiki versions before 1.35.12, 1.36.x through 1.39.x before 1.39.5, and 1.40.x before 1.40.1. The vulnerability was discovered and disclosed in October 2023, specifically related to the item merging functionality where ItemMergeInteractor does not have an edit filter running (such as AbuseFilter) (NVD).

The vulnerability has been assigned a CVSS v3.1 Base Score of 5.3 (MEDIUM) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N. This indicates that the vulnerability can be exploited over the network, requires low attack complexity, needs no privileges, and requires no user interaction. The scope is unchanged, with no impact on confidentiality, low impact on integrity, and no impact on availability (NVD).

The vulnerability affects the integrity of the system during item merging operations due to the absence of edit filter protection. This could potentially allow unauthorized modifications to merged items without proper filtering controls (NVD).

Users should upgrade to MediaWiki versions 1.35.12, 1.39.5, or 1.40.1 or later, depending on their current version track. These versions contain the necessary fixes to address the vulnerability (NVD).