CVE-2024-23179: 
NixOS vulnerability analysis and mitigation

A cross-site scripting (XSS) vulnerability was discovered in the GlobalBlocking extension in MediaWiki before version 1.40.2. The vulnerability was assigned CVE-2024-23179 and was disclosed in January 2024. The vulnerability affects MediaWiki installations that have the GlobalBlocking extension enabled (MediaWiki Announce).

The vulnerability exists in the GlobalBlocking extension where for a Special:GlobalBlock?uselang=x-xss URI, i18n-based XSS can occur via the parentheses message. This specifically affects subtitle links in buildSubtitleLinks. The vulnerability has been assigned a CVSS v3.1 base score of 6.1 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N, indicating it is network accessible, requires low attack complexity, and needs user interaction (NVD Database).

The vulnerability allows attackers to execute cross-site scripting attacks through the GlobalBlocking extension. This could potentially lead to information disclosure and limited integrity impacts in the context of the affected web application (NVD Database).

Users are advised to upgrade to MediaWiki version 1.40.2 or later which contains the fix for this vulnerability. The patch has been included in the security and maintenance release announced by MediaWiki (MediaWiki Announce).