CVE-2023-45659: 
NixOS vulnerability analysis and mitigation

CVE-2023-45659 affects Engelsystem, a shift planning system for chaos events. The vulnerability was discovered by Eugene Shein and disclosed on October 16, 2023. The issue exists in all versions before commit dbb089315ff3d. When a user's password is compromised and an attacker gains access to a user's account by logging in and obtaining a session, the attacker's session remains active even after the user's account password is reset (GitHub Advisory).

The vulnerability is classified as CWE-613 (Insufficient Session Expiration) with a CVSS v3.1 base score of 2.8 (LOW). The CVSS vector is CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N, indicating local attack vector, low attack complexity, low privileges required, user interaction required, unchanged scope, no impact on confidentiality, low impact on integrity, and no impact on availability (NVD).

The primary impact of this vulnerability is that an attacker who has gained unauthorized access to a user's account can maintain their session even after the legitimate user performs a password reset. This effectively prevents the security measure of password reset from fully protecting the account from ongoing unauthorized access (GitHub Advisory).

The vulnerability has been fixed in commit dbb089315ff3d which implements session termination upon password reset. There are no known workarounds for this vulnerability, and users are advised to update their installations to a version containing this fix (GitHub Advisory).