CVE-2023-45373: 
NixOS vulnerability analysis and mitigation

A cross-site scripting (XSS) vulnerability was discovered in the ProofreadPage extension for MediaWiki, affecting versions before 1.35.12, 1.36.x through 1.39.x before 1.39.5, and 1.40.x before 1.40.1. The vulnerability was disclosed on October 9, 2023, and allows attackers to execute malicious scripts through the formatNumNoSeparators function (NVD, CVE).

The vulnerability has been assigned a CVSS v3.1 base score of 6.1 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N. This indicates that the vulnerability can be exploited remotely, requires low attack complexity, needs no privileges, but does require user interaction. The scope is changed, with low impact on confidentiality and integrity, and no impact on availability (NVD).

The vulnerability allows attackers to perform cross-site scripting attacks through the formatNumNoSeparators function, potentially leading to unauthorized access to user data and manipulation of web content. The attack can compromise user sessions and potentially lead to the execution of malicious code in the context of the affected MediaWiki installation (NVD).

Users are advised to upgrade to MediaWiki versions 1.35.12, 1.39.5, or 1.40.1 or later, depending on their current version track. These versions contain the necessary security fixes to address the vulnerability (NVD).