⚠️ You are using a production deployment that is still only suitable for demo purposes. Any work done in this might be wiped later without notice.

Drafts

Create draft to convert the suggestion into a draft security issue that can be edited before publishing.

Dismiss to remove a suggestion from the queue.

CVE-2024-45689
6.5 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): NONE
  • Availability impact (A): NONE
updated 3 months, 2 weeks ago by @LeSuisse Activity log
  • Created automatic suggestion 3 months, 3 weeks ago
  • @LeSuisse removed
    3 packages
    • pkgs.moodle-dl 2.2.2.4
    • pkgs.moodle-dl 2.3.12
    • pkgs.texlivePackages.moodle 1.0
    3 months, 2 weeks ago
  • @LeSuisse accepted as draft 3 months, 2 weeks ago
Moodle: unprotected access to sensitive information via dynamic tables

A flaw was found in Moodle. Dynamic tables did not enforce capability checks, which resulted in users having the ability to retrieve information they did not have permission to access.

moodle
<4.3.7
<4.4.3
<4.2.10
<4.1.13

pkgs.moodle

Free and open-source learning management system (LMS) written in PHP
Notify package maintainers: 1
CVE-2024-45690
7.5 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): NONE
  • Integrity impact (I): HIGH
  • Availability impact (A): NONE
updated 3 months, 2 weeks ago by @LeSuisse Activity log
  • Created automatic suggestion 3 months, 3 weeks ago
  • @LeSuisse removed
    3 packages
    • pkgs.texlivePackages.moodle 1.0
    • pkgs.moodle-dl 2.2.2.4
    • pkgs.moodle-dl 2.3.12
    3 months, 2 weeks ago
  • @LeSuisse accepted as draft 3 months, 2 weeks ago
Moodle: idor when deleting oauth2 linked accounts

A flaw was found in Moodle. Additional checks were required to ensure users can only delete their OAuth2-linked accounts.

moodle
<4.3.7
<4.4.3
<4.2.10
<4.1.13

pkgs.moodle

Free and open-source learning management system (LMS) written in PHP
Notify package maintainers: 1
CVE-2024-48897
6.5 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): NONE
  • Integrity impact (I): HIGH
  • Availability impact (A): NONE
updated 3 months, 2 weeks ago by @LeSuisse Activity log
  • Created automatic suggestion 3 months, 3 weeks ago
  • @LeSuisse removed
    3 packages
    • pkgs.moodle-dl 2.2.2.4
    • pkgs.moodle-dl 2.3.12
    • pkgs.texlivePackages.moodle 1.0
    3 months, 2 weeks ago
  • @LeSuisse accepted as draft 3 months, 2 weeks ago
Moodle: idor in edit/delete rss feed

A vulnerability was found in Moodle. Additional checks are required to ensure users can only edit or delete RSS feeds that they have permission to modify.

moodle
<4.1.0
<4.4.4
<4.3.8
<4.1.14
<4.2.11

pkgs.moodle

Free and open-source learning management system (LMS) written in PHP
Notify package maintainers: 1
CVE-2024-8443
2.9 LOW
  • CVSS version: 3.1
  • Attack vector (AV): PHYSICAL
  • Attack complexity (AC): HIGH
  • Privileges required (PR): NONE
  • User interaction (UI): REQUIRED
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): LOW
  • Availability impact (A): NONE
updated 3 months, 2 weeks ago by @LeSuisse Activity log
  • Created automatic suggestion 3 months, 3 weeks ago
  • @LeSuisse removed
    12 packages
    • pkgs.openscad-unstable 2024-03-10
    • pkgs.openscad-unstable 2024-11-10
    • pkgs.openscad-unstable 2024-12-06
    • pkgs.openscenegraph 3.6.5
    • pkgs.openscad-lsp 1.2.5
    • pkgs.openscap 1.3.10
    • pkgs.openscad 2021.01
    • pkgs.vscode-extensions.antyos.openscad 1.1.1
    • pkgs.vscode-extensions.antyos.openscad 1.3.1
    • pkgs.kakounePlugins.openscad-kak 2020-12-10
    • pkgs.vimPlugins.openscad-nvim 2024-04-13
    • pkgs.vimPlugins.vim-openscad 2022-07-26
    3 months, 2 weeks ago
  • @LeSuisse accepted as draft 3 months, 2 weeks ago
Libopensc: heap buffer overflow in openpgp driver when generating key

A heap-based buffer overflow vulnerability was found in the libopensc OpenPGP driver. A crafted USB device or smart card with malicious responses to the APDUs during the card enrollment process using the `pkcs15-init` tool may lead to out-of-bound rights, possibly resulting in arbitrary code execution.

opensc
Notify package maintainers: 1
CVE-2024-48896
4.3 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): NONE
  • Availability impact (A): NONE
updated 3 months, 2 weeks ago by @LeSuisse Activity log
  • Created automatic suggestion 3 months, 3 weeks ago
  • @LeSuisse accepted as draft 3 months, 2 weeks ago
  • @LeSuisse removed
    3 packages
    • pkgs.texlivePackages.moodle 1.0
    • pkgs.moodle-dl 2.2.2.4
    • pkgs.moodle-dl 2.3.12
    3 months, 2 weeks ago
Moodle: users' names returned in messaging error message

A vulnerability was found in Moodle. It is possible for users with the "send message" capability to view other users' names that they may not otherwise have access to via an error message in Messaging. Note: The name returned follows the full name format configured on the site.

moodle
<4.1.0
<4.4.4
<4.3.8
<4.1.14
<4.2.11

pkgs.moodle

Free and open-source learning management system (LMS) written in PHP
Notify package maintainers: 1
CVE-2024-48898
6.5 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): NONE
  • Integrity impact (I): HIGH
  • Availability impact (A): NONE
updated 3 months, 2 weeks ago by @fricklerhandwerk Activity log
  • Created automatic suggestion 3 months, 3 weeks ago
  • @fricklerhandwerk removed
    3 packages
    • pkgs.moodle-dl 2.2.2.4
    • pkgs.moodle-dl 2.3.12
    • pkgs.texlivePackages.moodle 1.0
    3 months, 2 weeks ago
  • @fricklerhandwerk accepted as draft 3 months, 2 weeks ago
Moodle: some users can delete audiences of other reports

A vulnerability was found in Moodle. Users with access to delete audiences from reports could delete audiences from other reports that they do not have permission to delete from.

moodle
<4.1.0
<4.4.4
<4.3.8
<4.1.14
<4.2.11

pkgs.moodle

Free and open-source learning management system (LMS) written in PHP
Notify package maintainers: 1
CVE-2024-48900
4.3 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): NONE
  • Availability impact (A): NONE
updated 3 months, 2 weeks ago by @fricklerhandwerk Activity log
  • Created automatic suggestion 3 months, 3 weeks ago
  • @fricklerhandwerk removed
    3 packages
    • pkgs.moodle-dl 2.2.2.4
    • pkgs.moodle-dl 2.3.12
    • pkgs.texlivePackages.moodle 1.0
    3 months, 2 weeks ago
  • @fricklerhandwerk accepted as draft 3 months, 2 weeks ago
Moodle: idor when accessing list of badge recipients

A vulnerability was found in Moodle. Additional checks are required to ensure users with permission to view badge recipients can only access lists of those they are intended to have access to.

moodle
<4.4.4

pkgs.moodle

Free and open-source learning management system (LMS) written in PHP
Notify package maintainers: 1
CVE-2024-48901
4.3 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): NONE
  • Integrity impact (I): LOW
  • Availability impact (A): NONE
updated 3 months, 2 weeks ago by @fricklerhandwerk Activity log
  • Created automatic suggestion 3 months, 3 weeks ago
  • @fricklerhandwerk removed
    3 packages
    • pkgs.moodle-dl 2.2.2.4
    • pkgs.moodle-dl 2.3.12
    • pkgs.texlivePackages.moodle 1.0
    3 months, 2 weeks ago
  • @fricklerhandwerk accepted as draft 3 months, 2 weeks ago
Moodle: idor when fetching report schedules

A vulnerability was found in Moodle. Additional checks are required to ensure users can only access the schedule of a report if they have permission to edit that report.

moodle
<4.1.0
<4.4.4
<4.3.8
<4.1.14
<4.2.11

pkgs.moodle

Free and open-source learning management system (LMS) written in PHP
Notify package maintainers: 1
CVE-2024-52616
5.3 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): NONE
  • Integrity impact (I): LOW
  • Availability impact (A): NONE
updated 3 months, 2 weeks ago by @fricklerhandwerk Activity log
  • Created automatic suggestion 3 months, 3 weeks ago
  • @Erethon accepted as draft 3 months, 3 weeks ago
  • @Erethon removed package pkgs.avahi 0.8 3 months, 3 weeks ago
  • @Erethon dismissed 3 months, 3 weeks ago
  • @fricklerhandwerk accepted as draft 3 months, 2 weeks ago
  • @fricklerhandwerk removed
    5 packages
    • pkgs.guile-avahi 0.4.1
    • pkgs.avahi-compat 0.8
    • pkgs.haskellPackages.avahi 0.2.0
    • pkgs.python311Packages.avahi 0.8
    • pkgs.python312Packages.avahi 0.8
    3 months, 2 weeks ago
Avahi: avahi wide-area dns predictable transaction ids

A flaw was found in the Avahi-daemon, where it initializes DNS transaction IDs randomly only once at startup, incrementing them sequentially after that. This predictable behavior facilitates DNS spoofing attacks, allowing attackers to guess transaction IDs.

avahi
<0.9
rhcos
CVE-2024-8612
3.8 LOW
  • CVSS version: 3.1
  • Attack vector (AV): LOCAL
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): NONE
  • Scope (S): CHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): NONE
  • Availability impact (A): NONE
updated 3 months, 2 weeks ago by @fricklerhandwerk Activity log
  • Created automatic suggestion 3 months, 3 weeks ago
  • @fricklerhandwerk removed
    9 packages
    • pkgs.canokey-qemu 0-unstable-2023-06-06
    • pkgs.canokey-qemu 2022-06-23
    • pkgs.ubootQemuX86 x86_defconfig-2024.04
    • pkgs.ubootQemuX86 x86_defconfig-2024.10
    • pkgs.ubootQemuAarch64 qemu_arm64_defconfig-2024.04
    • pkgs.ubootQemuAarch64 qemu_arm64_defconfig-2024.10
    • pkgs.qemu-python-utils 0.6.1.0a1
    • pkgs.python311Packages.qemu 0.6.1.0a1
    • pkgs.python312Packages.qemu 0.6.1.0a1
    3 months, 2 weeks ago
  • @fricklerhandwerk accepted as draft 3 months, 2 weeks ago
Qemu-kvm: information leak in virtio devices

A flaw was found in QEMU, in the virtio-scsi, virtio-blk, and virtio-crypto devices. The size for virtqueue_push as set in virtio_scsi_complete_req / virtio_blk_req_complete / virito_crypto_req_complete could be larger than the true size of the data which has been sent to guest. Once virtqueue_push() finally calls dma_memory_unmap to ummap the in_iov, it may call the address_space_write function to write back the data. Some uninitialized data may exist in the bounce.buffer, leading to an information leak.

qemu
*
qemu-kvm
qemu-kvm-ma
virt:av/qemu-kvm
virt:rhel/qemu-kvm

pkgs.qemu_xen

Generic and open source machine emulator and virtualizer

pkgs.qemu-user

QEMU User space emulator - launch executables compiled for one CPU on another CPU

pkgs.qemu_xen_4_15

A generic and open source machine emulator and virtualizer

pkgs.qemu_xen_4_15-light

A generic and open source machine emulator and virtualizer
Notify package maintainers: 6