CVE-2023-50924: 
NixOS vulnerability analysis and mitigation

Englesystem, a shift planning system for chaos events, contained a stored Cross-Site Scripting (XSS) vulnerability in versions prior to v3.4.1. The vulnerability stemmed from insufficient validation of user-supplied data in the DECT number, mobile number, and work-log comment fields. These values would be displayed in corresponding log overviews without proper sanitization (NVD, GitHub Advisory).

The vulnerability allowed authenticated users to inject JavaScript code that would be executed in other users' sessions when viewing overview pages. The issue was assigned CVE-2023-50924 with a CVSS v3.1 base score of 5.4 MEDIUM (NIST) and 7.3 HIGH (GitHub). The vulnerability was characterized by improper neutralization of input during web page generation, classified as CWE-79 (NVD).

When exploited, this vulnerability enabled authenticated users to inject malicious JavaScript code into other users' sessions. The injected code would execute automatically when other users viewed certain overview pages, potentially leading to session hijacking, data theft, or other client-side attacks (NVD).

The vulnerability has been fixed in Engelsystem version 3.4.1. Users are advised to upgrade to this version or later to address the security issue. The fix involved implementing proper input validation and output encoding for the affected fields (GitHub Advisory).