Nixpkgs security tracker
6.8 MEDIUM
- CVSS version (CVSS): 3.1
- Attack Vector (AV): Network (N)
- Attack Complexity (AC): High (H)
- Privileges Required (PR): None (N)
- User Interaction (UI): Required (R)
- Scope (S): Unchanged (U)
- Confidentiality (C): High (H)
- Integrity (I): High (H)
- Availability (A): None (N)
- Modified Attack Vector (MAV): Network (N)
- Modified Attack Complexity (MAC): High (H)
- Modified Privileges Required (MPR): None (N)
- Modified User Interaction (MUI): Required (R)
- Modified Confidentiality (MC): High (H)
- Modified Scope (MS): Unchanged (U)
- Modified Integrity (MI): High (H)
- Modified Availability (MA): None (N)
by @LeSuisse Activity log
- Created suggestion
-
@LeSuisse
ignored
21 packages
- phpPackages.phpmd
- php81Packages.phpmd
- php82Packages.phpmd
- php83Packages.phpmd
- php84Packages.phpmd
- php85Packages.phpmd
- python312Packages.pyppmd
- python313Packages.pyppmd
- python314Packages.pyppmd
- python312Packages.pmdarima
- python313Packages.pmdarima
- python314Packages.pmdarima
- python312Packages.pytun-pmd3
- python313Packages.pytun-pmd3
- python314Packages.pytun-pmd3
- python312Packages.sslpsk-pmd3
- python313Packages.sslpsk-pmd3
- python314Packages.sslpsk-pmd3
- python312Packages.pmdsky-debug-py
- python313Packages.pmdsky-debug-py
- python314Packages.pmdsky-debug-py
- @LeSuisse accepted
- @LeSuisse published on GitHub
PMD Designer has Stored XSS in VBHTMLRenderer and YAHTMLRenderer via unescaped violation messages
PMD is an extensible multilanguage static code analyzer. Prior to version 7.22.0, PMD's `vbhtml` and `yahtml` report formats insert rule violation messages into HTML output without escaping. When PMD analyzes untrusted source code containing crafted string literals, the generated HTML report contains executable JavaScript that runs when opened in a browser. Practical impact is limited because `vbhtml` and `yahtml` are legacy formats rarely used in practice. The default `html` format is properly escaped and not affected. Version 7.22.0 contains a fix for the issue.
References
-
https://github.com/pmd/pmd/security/advisories/GHSA-8rr6-2qw5-pc7r x_refsource_CONFIRM
-
https://github.com/pmd/pmd/pull/6475 x_refsource_MISC
Affected products
- ==< 7.22.0
Matching in nixpkgs
Ignored packages (21)
pkgs.phpPackages.phpmd
PHP code quality analyzer
pkgs.php81Packages.phpmd
None
pkgs.php82Packages.phpmd
PHP code quality analyzer
pkgs.php83Packages.phpmd
PHP code quality analyzer
pkgs.php84Packages.phpmd
PHP code quality analyzer
pkgs.php85Packages.phpmd
PHP code quality analyzer
pkgs.python312Packages.pyppmd
None
pkgs.python313Packages.pyppmd
PPMd compression/decompression library
pkgs.python314Packages.pyppmd
PPMd compression/decompression library
pkgs.python312Packages.pmdarima
None
pkgs.python313Packages.pmdarima
Statistical library designed to fill the void in Python's time series analysis capabilities, including the equivalent of R's auto.arima function
pkgs.python314Packages.pmdarima
Statistical library designed to fill the void in Python's time series analysis capabilities, including the equivalent of R's auto.arima function
pkgs.python312Packages.pytun-pmd3
None
pkgs.python313Packages.pytun-pmd3
TUN/TAP wrapper for Python with Darwin support
-
nixos-unstable pmd3-3.0.3
- nixpkgs-unstable pmd3-3.0.3
- nixos-unstable-small pmd3-3.0.3
pkgs.python314Packages.pytun-pmd3
TUN/TAP wrapper for Python with Darwin support
-
nixos-unstable pmd3-3.0.3
- nixpkgs-unstable pmd3-3.0.3
- nixos-unstable-small pmd3-3.0.3
pkgs.python312Packages.sslpsk-pmd3
None
pkgs.python313Packages.sslpsk-pmd3
Adds TLS-PSK support to the Python ssl package
-
nixos-unstable pmd3-1.0.3
- nixpkgs-unstable pmd3-1.0.3
- nixos-unstable-small pmd3-1.0.3
pkgs.python314Packages.sslpsk-pmd3
Adds TLS-PSK support to the Python ssl package
-
nixos-unstable pmd3-1.0.3
- nixpkgs-unstable pmd3-1.0.3
- nixos-unstable-small pmd3-1.0.3
pkgs.python312Packages.pmdsky-debug-py
None
pkgs.python313Packages.pmdsky-debug-py
Autogenerated and statically check-able pmdsky-debug symbol definitions for Python
pkgs.python314Packages.pmdsky-debug-py
Autogenerated and statically check-able pmdsky-debug symbol definitions for Python