CVE-2023-49469: 
NixOS vulnerability analysis and mitigation

A Reflected Cross Site Scripting (XSS) vulnerability was discovered in Shaarli version 0.12.2, identified as CVE-2023-49469. The vulnerability was found in the search tag functionality, where unsanitized user input could be directly embedded into the HTML output without proper encoding or validation. The issue was discovered and disclosed on November 22, 2023, and affects the Shaarli bookmarking application (GitHub Issue).

The vulnerability allows attackers to inject malicious JavaScript code through the search tag parameter. The issue occurs when specially crafted URLs containing malicious code are processed by the application's search tag functionality. A proof of concept demonstrated that an attacker could exploit this by using the payload: https://demo.shaarli.org/?searchterm=&searchtags=</title><svg/onload=alert(document.cookie)>++. The vulnerability has been assigned a CVSS v3.1 base score of 6.1 (MEDIUM) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N (NVD).

The vulnerability could potentially be exploited by attackers to execute malicious code within the context of a user's web browser. This could lead to unauthorized access, session hijacking, or other malicious activities when users click on specially crafted URLs (GitHub Issue).

The vulnerability has been fixed in Shaarli version 0.13.0. Users are advised to upgrade to this version or later to address the security issue (GitHub Release).