CVE-2023-50069: 
NixOS vulnerability analysis and mitigation

WireMock with GUI versions 3.2.0.0 through 3.0.4.0 are vulnerable to stored cross-site scripting (SXSS) through the recording feature. The vulnerability was discovered and disclosed on December 19, 2023, and was assigned CVE-2023-50069. The affected component is the recording feature of WireMock with GUI (GitHub Issue).

The vulnerability exists due to insufficient validation and sanitization of response bodies in the recording feature. When a test mapping is performed pointing to an attacker's file, the malicious payload is stored and subsequently rendered on the Matched page in the Body area. The CVSS v3.1 base score is 6.1 (MEDIUM) with the following vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N (NVD).

If successfully exploited, this vulnerability allows attackers to execute arbitrary web scripts in the context of the application. The impact is characterized by low confidentiality and integrity impacts, with no impact on availability. The cross-site scripting can potentially lead to unauthorized access to sensitive information or manipulation of the application's functionality (GitHub Issue).

Users are advised to follow the official Wiremock documentation to prevent proxying to unintended locations. Additionally, updating to the latest release of Wiremock with GUI is recommended to address this vulnerability (GitHub Issue).