CVE-2023-45881: 
NixOS vulnerability analysis and mitigation

GibbonEdu Gibbon through version 25.0.0 contains a Cross-Site Scripting (XSS) vulnerability in the file upload functionality. The vulnerability exists in the /modules/Planner/resourcesaddQuickajaxProcess.php endpoint, where the filename attribute of the bodyfile1 parameter is reflected in the response when the imageAsLinks parameter is set to Y (USD Advisory, NVD).

The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation) with a CVSS v3.1 Base Score of 6.1 MEDIUM (Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N). The issue occurs when uploading files through the resourcesaddQuickajaxProcess.php endpoint. To exploit the vulnerability, the imageAsLinks parameter must be set to Y to return HTML code, and the filename attribute of the bodyfile1 parameter is then reflected unsanitized in the response (USD Advisory).

This vulnerability can lead to Cross-Site Scripting attacks, potentially allowing attackers to execute arbitrary JavaScript code in victims' browsers. According to the security advisory, when chained with other vulnerabilities, this could lead to the creation of arbitrary high-privileged accounts (USD Advisory).

The vulnerability has been fixed in version 25.0.01, released as a security update on September 19, 2023. It is recommended to upgrade to this version or later. The vendor recommends treating all input on the website as potentially dangerous (USD Advisory).