CVE-2023-50712: 
NixOS vulnerability analysis and mitigation

A stored Cross-Site Scripting (XSS) vulnerability has been identified in iris-web, affecting multiple locations in versions prior to v2.3.7. The vulnerability was discovered in December 2023 and affects the iris-web application, which is a web collaborative platform designed to help incident responders share technical details during investigations (GitHub Advisory).

The vulnerability is classified as a stored XSS issue (CWE-79 and CWE-87) with a CVSS v3.1 base score of 5.4 MEDIUM (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N). The attack vector is network-based, with low attack complexity, requiring low privileges and user interaction. The vulnerability allows attackers to inject malicious scripts into the application, which can then be executed when users visit the affected locations (NVD).

The exploitation of this vulnerability could lead to unauthorized access, data theft, or other related malicious activities. The impact is considered moderate with low confidentiality and integrity impact, while availability is not affected (GitHub Advisory).

The vulnerability has been patched in version v2.3.7 of iris-web. No workarounds are available, and it is recommended to upgrade to the latest version (GitHub Release).

The vulnerability was responsibly disclosed by Leonard Rapp from G DATA Advanced Analytics GmbH. The release of version 2.3.7 received positive community reactions on GitHub, with multiple users expressing appreciation for the security fix (GitHub Release).