CVE-2024-39926: 
NixOS vulnerability analysis and mitigation

A stored cross-site scripting (XSS) or HTML injection vulnerability was discovered in Vaultwarden (formerly Bitwarden_RS) version 1.30.3 and earlier. The vulnerability affects the admin dashboard functionality and was discovered in September 2024. The issue allows an authenticated attacker to inject malicious code into the dashboard, which is then executed or rendered in the context of an administrator's browser when viewing the injected content (NVD, MGM Security).

The vulnerability specifically affects the user management page in the Vaultwarden admin dashboard, accessible at /admin. The issue lies in the modal dialogue used for changing role assignments for organization members, where payloads can be injected in the Organization and User fields. While the default Content Security Policy (CSP) of the application blocks most exploitation paths and prevents JavaScript execution via injected HTML code, certain HTML-based attacks remain possible (MGM Security).

The vulnerability allows for HTML injection attacks that could potentially lead to user redirection or other HTML-based attacks when the dialog is accessed. While the default CSP significantly mitigates the potential impact by preventing JavaScript execution, the vulnerability still poses a risk to administrators viewing the injected content (MGM Security).

The vulnerability has been fixed in Vaultwarden version 1.32.0. Users are recommended to upgrade to this version or later to address the security issue. The fix was implemented through pull request #4737 (GitHub Release).