⚠️ You are using a production deployment that is still only suitable for demo purposes. Any work done in this might be wiped later without notice.

Automatically generated suggestions

Create Draft to queue a suggestion for refinement.

Dismiss to remove a suggestion from the queue.

CVE-2024-38765
4.3 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): REQUIRED
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): NONE
  • Integrity impact (I): LOW
  • Availability impact (A): NONE
created 5 months, 2 weeks ago
WordPress Oceanic theme <= 1.0.48 - Cross Site Request Forgery (CSRF) vulnerability

Cross-Site Request Forgery (CSRF) vulnerability in Freelancelot Oceanic allows Cross Site Request Forgery.This issue affects Oceanic: from n/a through 1.0.48.

oceanic
=<1.0.48

pkgs.vscode-extensions.naumovs.theme-oceanicnext

Oceanic Next theme for VSCode + dimmed bg version for better looking UI

pkgs.vscode-extensions.naumovs.theme-oceanicnext.x86_64-linux

Oceanic Next theme for VSCode + dimmed bg version for better looking UI

pkgs.vscode-extensions.naumovs.theme-oceanicnext.aarch64-linux

Oceanic Next theme for VSCode + dimmed bg version for better looking UI

pkgs.vscode-extensions.naumovs.theme-oceanicnext.x86_64-darwin

Oceanic Next theme for VSCode + dimmed bg version for better looking UI

pkgs.vscode-extensions.naumovs.theme-oceanicnext.aarch64-darwin

Oceanic Next theme for VSCode + dimmed bg version for better looking UI
Notify package maintainers: 1
CVE-2024-45616
3.9 LOW
  • CVSS version: 3.1
  • Attack vector (AV): PHYSICAL
  • Attack complexity (AC): HIGH
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): LOW
  • Availability impact (A): LOW
created 5 months, 2 weeks ago
Libopensc: uninitialized values after incorrect check or usage of apdu response values in libopensc

A vulnerability was found in OpenSC, OpenSC tools, PKCS#11 module, minidriver, and CTK. An attacker could use a crafted USB Device or Smart Card, which would present the system with a specially crafted response to APDUs. The following problems were caused by insufficient control of the response APDU buffer and its length when communicating with the card.

opensc
libopensc
<0.26.0

pkgs.openscad-lsp.x86_64-linux

LSP (Language Server Protocol) server for OpenSCAD

pkgs.openscad-lsp.aarch64-linux

LSP (Language Server Protocol) server for OpenSCAD

pkgs.openscad-lsp.x86_64-darwin

LSP (Language Server Protocol) server for OpenSCAD

pkgs.openscad-lsp.aarch64-darwin

LSP (Language Server Protocol) server for OpenSCAD

pkgs.vscode-extensions.antyos.openscad

OpenSCAD highlighting, snippets, and more for VSCode

pkgs.vscode-extensions.antyos.openscad.x86_64-linux

OpenSCAD highlighting, snippets, and more for VSCode

pkgs.vscode-extensions.antyos.openscad.aarch64-linux

OpenSCAD highlighting, snippets, and more for VSCode

pkgs.vscode-extensions.antyos.openscad.x86_64-darwin

OpenSCAD highlighting, snippets, and more for VSCode

pkgs.vscode-extensions.antyos.openscad.aarch64-darwin

OpenSCAD highlighting, snippets, and more for VSCode
Notify package maintainers: 8
CVE-2024-37490
4.3 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): REQUIRED
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): NONE
  • Integrity impact (I): LOW
  • Availability impact (A): NONE
created 5 months, 2 weeks ago
WordPress Bard theme <= 2.210 - Cross Site Request Forgery (CSRF) vulnerability

Cross-Site Request Forgery (CSRF) vulnerability in WP Royal Bard allows Cross Site Request Forgery.This issue affects Bard: from n/a through 2.210.

bard
=<2.210

pkgs.bombardier.x86_64-linux

Fast cross-platform HTTP benchmarking tool written in Go

pkgs.texlivePackages.bardiag

LaTeX package for drawing bar diagrams

pkgs.bombardier.aarch64-linux

Fast cross-platform HTTP benchmarking tool written in Go

pkgs.bombardier.x86_64-darwin

Fast cross-platform HTTP benchmarking tool written in Go

pkgs.bombardier.aarch64-darwin

Fast cross-platform HTTP benchmarking tool written in Go

pkgs.texlivePackages.bardiag.x86_64-linux

LaTeX package for drawing bar diagrams
Notify package maintainers: 1
CVE-2023-23672
5.4 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): NONE
  • Integrity impact (I): LOW
  • Availability impact (A): LOW
created 5 months, 2 weeks ago
WordPress GiveWP plugin <= 2.25.1 - Arbitrary Content Deletion vulnerability

Missing Authorization vulnerability in Liquid Web / StellarWP GiveWP.This issue affects GiveWP: from n/a through 2.25.1.

give
=<2.25.1
Notify package maintainers: 1
CVE-2024-37478
4.3 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): REQUIRED
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): NONE
  • Integrity impact (I): LOW
  • Availability impact (A): NONE
created 5 months, 2 weeks ago
WordPress Ashe theme <= 2.233 - Cross Site Request Forgery (CSRF) vulnerability

Cross-Site Request Forgery (CSRF) vulnerability in WP Royal Ashe allows Cross Site Request Forgery.This issue affects Ashe: from n/a through 2.233.

ashe
=<2.233

pkgs.hashes

Simple hash algorithm identification GUI

pkgs.gcfflasher

CFFlasher is the tool to program the firmware of dresden elektronik's Zigbee products

pkgs.hashes.x86_64-linux

Simple hash algorithm identification GUI

pkgs.hashes.aarch64-linux

Simple hash algorithm identification GUI

pkgs.hashes.x86_64-darwin

Simple hash algorithm identification GUI

pkgs.hashes.aarch64-darwin

Simple hash algorithm identification GUI

pkgs.seashells.x86_64-linux

Pipe command-line programs to seashells.io

pkgs.gcfflasher.x86_64-linux

CFFlasher is the tool to program the firmware of dresden elektronik's Zigbee products

pkgs.seashells.aarch64-linux

Pipe command-line programs to seashells.io

pkgs.seashells.x86_64-darwin

Pipe command-line programs to seashells.io

pkgs.gcfflasher.aarch64-linux

CFFlasher is the tool to program the firmware of dresden elektronik's Zigbee products

pkgs.gcfflasher.x86_64-darwin

CFFlasher is the tool to program the firmware of dresden elektronik's Zigbee products

pkgs.seashells.aarch64-darwin

Pipe command-line programs to seashells.io

pkgs.gcfflasher.aarch64-darwin

CFFlasher is the tool to program the firmware of dresden elektronik's Zigbee products

pkgs.python311Packages.cashews

Cache tools with async power

pkgs.python311Packages.cashews.x86_64-linux

Cache tools with async power

pkgs.python312Packages.cashews.x86_64-linux

Cache tools with async power

pkgs.python311Packages.cashews.aarch64-linux

Cache tools with async power

pkgs.python311Packages.cashews.x86_64-darwin

Cache tools with async power

pkgs.python312Packages.cashews.aarch64-linux

Cache tools with async power

pkgs.python312Packages.cashews.x86_64-darwin

Cache tools with async power

pkgs.python311Packages.cashews.aarch64-darwin

Cache tools with async power

pkgs.python312Packages.cashews.aarch64-darwin

Cache tools with async power

pkgs.python311Packages.universal-silabs-flasher

Flashes Silicon Labs radios running EmberZNet or CPC multi-pan firmware

pkgs.python312Packages.universal-silabs-flasher

Flashes Silicon Labs radios running EmberZNet or CPC multi-pan firmware

pkgs.python311Packages.universal-silabs-flasher.x86_64-linux

Flashes Silicon Labs radios running EmberZNet or CPC multi-pan firmware

pkgs.python312Packages.universal-silabs-flasher.x86_64-linux

Flashes Silicon Labs radios running EmberZNet or CPC multi-pan firmware

pkgs.python311Packages.universal-silabs-flasher.aarch64-linux

Flashes Silicon Labs radios running EmberZNet or CPC multi-pan firmware

pkgs.python312Packages.universal-silabs-flasher.aarch64-linux

Flashes Silicon Labs radios running EmberZNet or CPC multi-pan firmware

pkgs.home-assistant-component-tests.ruckus_unleashed.x86_64-linux

Open source home automation that puts local control and privacy first

pkgs.home-assistant-component-tests.ruckus_unleashed.aarch64-linux

Open source home automation that puts local control and privacy first
Notify package maintainers: 9
CVE-2024-45615
3.9 LOW
  • CVSS version: 3.1
  • Attack vector (AV): PHYSICAL
  • Attack complexity (AC): HIGH
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): LOW
  • Availability impact (A): LOW
created 5 months, 2 weeks ago
Libopensc: pkcs15init: usage of uninitialized values in libopensc and pkcs15init

A vulnerability was found in OpenSC, OpenSC tools, PKCS#11 module, minidriver, and CTK. The problem is missing initialization of variables expected to be initialized (as arguments to other functions, etc.).

opensc
libopensc
<0.26.0

pkgs.openscad-lsp.x86_64-linux

LSP (Language Server Protocol) server for OpenSCAD

pkgs.openscad-lsp.aarch64-linux

LSP (Language Server Protocol) server for OpenSCAD

pkgs.openscad-lsp.x86_64-darwin

LSP (Language Server Protocol) server for OpenSCAD

pkgs.openscad-lsp.aarch64-darwin

LSP (Language Server Protocol) server for OpenSCAD

pkgs.vscode-extensions.antyos.openscad

OpenSCAD highlighting, snippets, and more for VSCode

pkgs.vscode-extensions.antyos.openscad.x86_64-linux

OpenSCAD highlighting, snippets, and more for VSCode

pkgs.vscode-extensions.antyos.openscad.aarch64-linux

OpenSCAD highlighting, snippets, and more for VSCode

pkgs.vscode-extensions.antyos.openscad.x86_64-darwin

OpenSCAD highlighting, snippets, and more for VSCode

pkgs.vscode-extensions.antyos.openscad.aarch64-darwin

OpenSCAD highlighting, snippets, and more for VSCode
Notify package maintainers: 8
CVE-2024-7260
6.1 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): REQUIRED
  • Scope (S): CHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): LOW
  • Availability impact (A): NONE
created 5 months, 2 weeks ago
Keycloak-core: open redirect on account page

An open redirect vulnerability was found in Keycloak. A specially crafted URL can be constructed where the referrer and referrer_uri parameters are made to trick a user to visit a malicious webpage. A trusted URL can trick users and automation into believing that the URL is safe, when, in fact, it redirects to a malicious server. This issue can result in a victim inadvertently trusting the destination of the redirect, potentially leading to a successful phishing attack or other types of attacks. Once a crafted URL is made, it can be sent to a Keycloak admin via email for example. This will trigger this vulnerability when the user visits the page and clicks the link. A malicious actor can use this to target users they know are Keycloak admins for further attacks. It may also be possible to bypass other domain-related security checks, such as supplying this as a OAuth redirect uri. The malicious actor can further obfuscate the redirect_uri using URL encoding, to hide the text of the actual malicious website domain.

keycloak
<24.0.7
keycloak-core
rhbk/keycloak-rhel9
*
rhbk/keycloak-rhel9-operator
*
rhbk/keycloak-operator-bundle
*

pkgs.keycloak.x86_64-linux

Identity and access management for modern applications and services

pkgs.keycloak.aarch64-linux

Identity and access management for modern applications and services

pkgs.python311Packages.python-keycloak.x86_64-linux

Provides access to the Keycloak API

pkgs.python312Packages.python-keycloak.x86_64-linux

Provides access to the Keycloak API

pkgs.python311Packages.python-keycloak.aarch64-linux

Provides access to the Keycloak API

pkgs.python311Packages.python-keycloak.x86_64-darwin

Provides access to the Keycloak API

pkgs.python312Packages.python-keycloak.aarch64-linux

Provides access to the Keycloak API

pkgs.python312Packages.python-keycloak.x86_64-darwin

Provides access to the Keycloak API

pkgs.python311Packages.python-keycloak.aarch64-darwin

Provides access to the Keycloak API

pkgs.python312Packages.python-keycloak.aarch64-darwin

Provides access to the Keycloak API
Notify package maintainers: 3
CVE-2024-5564
8.1 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): HIGH
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): HIGH
  • Availability impact (A): HIGH
created 5 months, 2 weeks ago
Libndp: buffer overflow in route information length field

A vulnerability was found in libndp. This flaw allows a local malicious user to cause a buffer overflow in NetworkManager, triggered by sending a malformed IPv6 router advertisement packet. This issue occurred as libndp was not correctly validating the route length information.

libndp
<1.7-7
*

pkgs.libndp

Library for Neighbor Discovery Protocol

pkgs.libndp.x86_64-linux

Library for Neighbor Discovery Protocol

pkgs.libndp.aarch64-linux

Library for Neighbor Discovery Protocol
CVE-2024-6239
7.5 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): NONE
  • Integrity impact (I): NONE
  • Availability impact (A): HIGH
created 5 months, 2 weeks ago
Poppler: pdfinfo: crash in broken documents when using -dests parameter

A flaw was found in the Poppler's Pdfinfo utility. This issue occurs when using -dests parameter with pdfinfo utility. By using certain malformed input files, an attacker could cause the utility to crash, leading to a denial of service.

poppler
=<24.06.1
*
compat-poppler022
gimp:flatpak/poppler
inkscape:flatpak/poppler
libreoffice:flatpak/poppler

pkgs.python311Packages.python-poppler

Python binding to poppler-cpp

pkgs.python312Packages.python-poppler

Python binding to poppler-cpp

pkgs.python311Packages.python-poppler.x86_64-linux

Python binding to poppler-cpp

pkgs.python312Packages.python-poppler.x86_64-linux

Python binding to poppler-cpp

pkgs.python311Packages.python-poppler.aarch64-linux

Python binding to poppler-cpp

pkgs.python311Packages.python-poppler.x86_64-darwin

Python binding to poppler-cpp

pkgs.python312Packages.python-poppler.aarch64-linux

Python binding to poppler-cpp

pkgs.python312Packages.python-poppler.x86_64-darwin

Python binding to poppler-cpp

pkgs.python311Packages.python-poppler.aarch64-darwin

Python binding to poppler-cpp

pkgs.python312Packages.python-poppler.aarch64-darwin

Python binding to poppler-cpp

pkgs.tests.pkg-config.defaultPkgConfigPackages.poppler-glib

Test whether poppler-glib-24.02.0 exposes pkg-config modules poppler-glib
  • nixos-24.05 ???
    • nixpkgs-24.05-darwin
  • nixos-24.11 ???
    • nixpkgs-24.11-darwin
  • nixos-unstable ???
    • nixos-unstable-small
    • nixpkgs-unstable

pkgs.tests.pkg-config.defaultPkgConfigPackages.poppler-glib.x86_64-linux

Test whether poppler-glib-24.02.0 exposes pkg-config modules poppler-glib
  • nixos-24.05 ???
    • nixos-24.05-small
  • nixos-24.11 ???
    • nixos-24.11-small
  • nixos-unstable ???

pkgs.tests.pkg-config.defaultPkgConfigPackages.poppler-glib.aarch64-linux

Test whether poppler-glib-24.02.0 exposes pkg-config modules poppler-glib
  • nixos-24.05 ???
    • nixos-24.05-small
  • nixos-24.11 ???
    • nixos-24.11-small
  • nixos-unstable ???

pkgs.tests.pkg-config.defaultPkgConfigPackages.poppler-glib.x86_64-darwin

Test whether poppler-glib-24.02.0 exposes pkg-config modules poppler-glib
  • nixos-24.05 ???
    • nixos-24.05-small
  • nixos-24.11 ???
    • nixos-24.11-small
  • nixos-unstable ???

pkgs.tests.pkg-config.defaultPkgConfigPackages.poppler-glib.aarch64-darwin

Test whether poppler-glib-24.02.0 exposes pkg-config modules poppler-glib
  • nixos-24.05 ???
    • nixos-24.05-small
  • nixos-24.11 ???
    • nixos-24.11-small
  • nixos-unstable ???
Notify package maintainers: 3
CVE-2024-7143 created 5 months, 2 weeks ago
Pulpcore: rbac permissions incorrectly assigned in tasks that create objects

A flaw was found in the Pulp package. When a role-based access control (RBAC) object in Pulp is set to assign permissions on its creation, it uses the `AutoAddObjPermsMixin` (typically the add_roles_for_object_creator method). This method finds the object creator by checking the current authenticated user. For objects that are created within a task, this current user is set by the first user with any permissions on the task object. This means the oldest user with model/domain-level task permissions will always be set as the current user of a task, even if they didn't dispatch the task. Therefore, all objects created in tasks will have their permissions assigned to this oldest user, and the creating user will receive nothing.

pulp
=<3.56.0
receptor
python-django
python-urllib3
python-pulpcore
python3x-django
python3x-urllib3
python3x-pulpcore
automation-controller
python-pulpcore-client
rubygem-pulpcore_client

pkgs.python311Packages.pulp.aarch64-darwin

Module to generate MPS or LP files
Notify package maintainers: 1