Nixpkgs Security Tracker

Login with GitHub

Automatically generated suggestions

to queue a suggestion for refinement.

to remove a suggestion from the queue.

CVE-2024-38765
4.3 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): REQUIRED
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): NONE
  • Integrity impact (I): LOW
  • Availability impact (A): NONE
created 3 months ago
WordPress Oceanic theme <= 1.0.48 - Cross Site Request Forgery (CSRF) vulnerability

Cross-Site Request Forgery (CSRF) vulnerability in Freelancelot Oceanic allows Cross Site Request Forgery.This issue affects Oceanic: from n/a through 1.0.48.

Affected products

oceanic
  • =<1.0.48

Matching in nixpkgs

pkgs.vscode-extensions.naumovs.theme-oceanicnext

Oceanic Next theme for VSCode + dimmed bg version for better looking UI

Package maintainers: 1

CVE-2023-23672
5.4 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): NONE
  • Integrity impact (I): LOW
  • Availability impact (A): LOW
created 3 months ago
WordPress GiveWP plugin <= 2.25.1 - Arbitrary Content Deletion vulnerability

Missing Authorization vulnerability in Liquid Web / StellarWP GiveWP.This issue affects GiveWP: from n/a through 2.25.1.

Affected products

give
  • =<2.25.1

Matching in nixpkgs

pkgs.filegive

Easy p2p file sending program

CVE-2024-7260
4.4 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): LOCAL
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): REQUIRED
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): LOW
  • Availability impact (A): NONE
created 3 months ago
Keycloak-core: open redirect on account page

An open redirect vulnerability was found in Keycloak. A specially crafted URL can be constructed where the referrer and referrer_uri parameters are made to trick a user to visit a malicious webpage. A trusted URL can trick users and automation into believing that the URL is safe, when, in fact, it redirects to a malicious server. This issue can result in a victim inadvertently trusting the destination of the redirect, potentially leading to a successful phishing attack or other types of attacks. Once a crafted URL is made, it can be sent to a Keycloak admin via email for example. This will trigger this vulnerability when the user visits the page and clicks the link. A malicious actor can use this to target users they know are Keycloak admins for further attacks. It may also be possible to bypass other domain-related security checks, such as supplying this as a OAuth redirect uri. The malicious actor can further obfuscate the redirect_uri using URL encoding, to hide the text of the actual malicious website domain.

Affected products

keycloak
  • <24.0.7
keycloak-core
rhbk/keycloak-rhel9
  • *
rhbk/keycloak-rhel9-operator
  • *
rhbk/keycloak-operator-bundle
  • *

Matching in nixpkgs

pkgs.keycloak

Identity and access management for modern applications and services

pkgs.terraform-providers.keycloak

pkgs.python312Packages.python-keycloak

Provides access to the Keycloak API

pkgs.python313Packages.python-keycloak

Provides access to the Keycloak API

Package maintainers: 4

CVE-2024-37931
4.3 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): REQUIRED
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): NONE
  • Integrity impact (I): LOW
  • Availability impact (A): NONE
created 3 months ago
WordPress Point theme <= 1.1 - Cross Site Request Forgery (CSRF) vulnerability

Cross-Site Request Forgery (CSRF) vulnerability in Creativthemes Point allows Cross Site Request Forgery.This issue affects Point: from n/a through 1.1.

Affected products

point
  • =<1.1

Matching in nixpkgs

pkgs.pinpoint

Tool for making hackers do excellent presentations

pkgs.git-point

Set arbitrary refs without shooting yourself in the foot, a procelain `git update-ref`

pkgs.ratpoints

Program to find rational points on hyperelliptic curves

pkgs.mountpoint-s3

Simple, high-throughput file client for mounting an Amazon S3 bucket as a local file system

pkgs.breakpointHook

  • nixos-unstable ???
    • nixpkgs-unstable

pkgs.libpointmatcher

"Iterative Closest Point" library for 2-D/3-D mapping in robotic

pkgs.xpointerbarrier

Create X11 pointer barriers around your working area

pkgs.highlight-pointer

Highlight mouse pointer/cursor using a dot

pkgs.breakpointHookCntr

  • nixos-unstable ???
    • nixpkgs-unstable

pkgs.quake3pointrelease

Quake 3 Arena point release

pkgs.haskellPackages.pointed

Pointed and copointed data

pkgs.haskellPackages.fixpoint

Data types as fixpoints

pkgs.haskellPackages.pointfree

Tool for refactoring expressions into pointfree form

pkgs.python312Packages.pypoint

Python module for communicating with Minut Point

pkgs.python313Packages.pypoint

Python module for communicating with Minut Point

pkgs.haskellPackages.breakpoint

Set breakpoints using a GHC plugin

pkgs.haskellPackages.mountpoints

list mount points

pkgs.haskellPackages.pointedlist

A zipper-like comonad which works as a list, tracking a position

pkgs.python312Packages.datapoint

Python interface to the Met Office's Datapoint API

pkgs.python313Packages.datapoint

Python interface to the Met Office's Datapoint API

pkgs.haskellPackages.pointless-fun

Some common point-free combinators

pkgs.python312Packages.entrypoint2

Easy to use command-line interface for python modules

pkgs.python312Packages.entrypoints

Discover and load entry points from installed packages

pkgs.python312Packages.jsonpointer

Resolve JSON Pointers in Python

pkgs.python313Packages.entrypoint2

Easy to use command-line interface for python modules

pkgs.python313Packages.entrypoints

Discover and load entry points from installed packages

pkgs.python313Packages.jsonpointer

Resolve JSON Pointers in Python

pkgs.gnomeExtensions.pointer-tracker

Highlight the mouse cursor to make it visible on screencasts

pkgs.rubyPackages.indieweb-endpoints

pkgs.haskellPackages.amazonka-pinpoint

Amazon Pinpoint SDK

pkgs.python312Packages.fastentrypoints

Makes entry_points specified in setup.py load more quickly

pkgs.python313Packages.fastentrypoints

Makes entry_points specified in setup.py load more quickly

pkgs.typstPackages.stack-pointer_0_1_0

A library for visualizing the execution of (imperative) computer programs

pkgs.python312Packages.entry-points-txt

Read & write entry_points.txt files

pkgs.python312Packages.orbax-checkpoint

Orbax provides common utility libraries for JAX users

pkgs.python313Packages.entry-points-txt

Read & write entry_points.txt files

pkgs.python313Packages.orbax-checkpoint

Orbax provides common utility libraries for JAX users

pkgs.typstPackages.pointless-size_0_1_0

中文字号的号数制及字体度量单位 Chinese size system (hào-system) and type-related measurements units

pkgs.typstPackages.pointless-size_0_1_1

中文字号的号数制及字体度量单位 Chinese size system (hào-system) and type-related measurements units

pkgs.rubyPackages_3_1.indieweb-endpoints

pkgs.rubyPackages_3_2.indieweb-endpoints

pkgs.rubyPackages_3_3.indieweb-endpoints

pkgs.rubyPackages_3_4.indieweb-endpoints

pkgs.home-assistant-component-tests.point

Open source home automation that puts local control and privacy first

pkgs.haskellPackages.acme-pointful-numbers

Make more than one point in numeric literals

pkgs.python312Packages.checkpoint-schedules

Schedules for incremental checkpointing of adjoint simulations

pkgs.python312Packages.langgraph-checkpoint

Library with base interfaces for LangGraph checkpoint savers

pkgs.python313Packages.checkpoint-schedules

Schedules for incremental checkpointing of adjoint simulations

pkgs.python313Packages.langgraph-checkpoint

Library with base interfaces for LangGraph checkpoint savers

pkgs.haskellPackages.amazonka-pinpoint-email

Amazon Pinpoint Email Service SDK

pkgs.haskellPackages.amazonka-pinpoint-sms-voice

Amazon Pinpoint SMS and Voice Service SDK

pkgs.python312Packages.types-aiobotocore-pinpoint

Type annotations for aiobotocore pinpoint

pkgs.python313Packages.types-aiobotocore-pinpoint

Type annotations for aiobotocore pinpoint

pkgs.python312Packages.langgraph-checkpoint-sqlite

Library with a SQLite implementation of LangGraph checkpoint saver

pkgs.python313Packages.langgraph-checkpoint-sqlite

Library with a SQLite implementation of LangGraph checkpoint saver

pkgs.haskellPackages.amazonka-pinpoint-sms-voice-v2

Amazon Pinpoint SMS Voice V2 SDK

pkgs.python312Packages.langgraph-checkpoint-postgres

Library with a Postgres implementation of LangGraph checkpoint saver

pkgs.python313Packages.langgraph-checkpoint-postgres

Library with a Postgres implementation of LangGraph checkpoint saver

pkgs.python312Packages.types-aiobotocore-pinpoint-email

Type annotations for aiobotocore pinpoint-email

pkgs.python313Packages.types-aiobotocore-pinpoint-email

Type annotations for aiobotocore pinpoint-email

pkgs.python312Packages.backports-entry-points-selectable

Compatibility shim providing selectable entry points for older implementations

pkgs.python313Packages.backports-entry-points-selectable

Compatibility shim providing selectable entry points for older implementations

pkgs.python312Packages.types-aiobotocore-pinpoint-sms-voice

Type annotations for aiobotocore pinpoint-sms-voice

pkgs.python313Packages.types-aiobotocore-pinpoint-sms-voice

Type annotations for aiobotocore pinpoint-sms-voice

pkgs.python312Packages.azure-synapse-managedprivateendpoints

Microsoft Azure Synapse Managed Private Endpoints Client Library

pkgs.python313Packages.azure-synapse-managedprivateendpoints

Microsoft Azure Synapse Managed Private Endpoints Client Library

pkgs.python312Packages.types-aiobotocore-pinpoint-sms-voice-v2

Type annotations for aiobotocore pinpoint-sms-voice-v2

pkgs.python313Packages.types-aiobotocore-pinpoint-sms-voice-v2

Type annotations for aiobotocore pinpoint-sms-voice-v2

Package maintainers: 19

CVE-2024-37490
4.3 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): REQUIRED
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): NONE
  • Integrity impact (I): LOW
  • Availability impact (A): NONE
created 3 months ago
WordPress Bard theme <= 2.210 - Cross Site Request Forgery (CSRF) vulnerability

Cross-Site Request Forgery (CSRF) vulnerability in WP Royal Bard allows Cross Site Request Forgery.This issue affects Bard: from n/a through 2.210.

Affected products

bard
  • =<2.210

Matching in nixpkgs

pkgs.bombardier

Fast cross-platform HTTP benchmarking tool written in Go

Package maintainers: 1

CVE-2024-38789
5.3 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): REQUIRED
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): NONE
  • Integrity impact (I): LOW
  • Availability impact (A): LOW
created 3 months ago
WordPress Telegram Bot & Channel plugin <= 3.8.2 - Cross Site Request Forgery (CSRF) vulnerability

Cross-Site Request Forgery (CSRF) vulnerability in Marco Milesi Telegram Bot & Channel allows Cross Site Request Forgery.This issue affects Telegram Bot & Channel: from n/a through 3.8.2.

Affected products

telegram-bot
  • =<3.8.2

Matching in nixpkgs

pkgs.telegram-bot-api

Telegram Bot API server

pkgs.haskellPackages.telegram-bot-api

Easy to use library for building Telegram bots. Exports Telegram Bot API.

pkgs.haskellPackages.telegram-bot-simple

Easy to use library for building Telegram bots

pkgs.python312Packages.python-telegram-bot

Python library to interface with the Telegram Bot API

pkgs.python313Packages.python-telegram-bot

Python library to interface with the Telegram Bot API

Package maintainers: 5

CVE-2024-37478
4.3 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): REQUIRED
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): NONE
  • Integrity impact (I): LOW
  • Availability impact (A): NONE
created 3 months ago
WordPress Ashe theme <= 2.233 - Cross Site Request Forgery (CSRF) vulnerability

Cross-Site Request Forgery (CSRF) vulnerability in WP Royal Ashe allows Cross Site Request Forgery.This issue affects Ashe: from n/a through 2.233.

Affected products

ashe
  • =<2.233

Matching in nixpkgs

pkgs.ashell

Ready to go Wayland status bar for Hyprland

pkgs.dasher

Information-efficient text-entry interface, driven by natural continuous pointing gestures

pkgs.hashes

Simple hash algorithm identification GUI

pkgs.seashells

Pipe command-line programs to seashells.io

pkgs.gcfflasher

CFFlasher is the tool to program the firmware of dresden elektronik's Zigbee products

pkgs.pixelflasher

Pixel™ phone flashing GUI utility with features

pkgs.haskellPackages.hashes

Hash functions

pkgs.python312Packages.cashews

Cache tools with async power

pkgs.python313Packages.cashews

Cache tools with async power

pkgs.tests.texlive.fixedHashes

  • nixos-unstable ???
    • nixpkgs-unstable

pkgs.python312Packages.universal-silabs-flasher

Flashes Silicon Labs radios running EmberZNet or CPC multi-pan firmware

pkgs.python313Packages.universal-silabs-flasher

Flashes Silicon Labs radios running EmberZNet or CPC multi-pan firmware

pkgs.home-assistant-component-tests.ruckus_unleashed

Open source home automation that puts local control and privacy first

Package maintainers: 9

CVE-2024-38766
4.3 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): REQUIRED
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): NONE
  • Integrity impact (I): LOW
  • Availability impact (A): NONE
created 3 months ago
WordPress Matomo Analytics plugin <= 5.1.1 - Cross Site Request Forgery (CSRF) leading to Notice Dismissal vulnerability

Cross-Site Request Forgery (CSRF) vulnerability in Matomo Matomo Analytics allows Cross Site Request Forgery.This issue affects Matomo Analytics: from n/a through 5.1.1.

Affected products

matomo
  • =<5.1.1

Matching in nixpkgs

pkgs.matomo_5

Real-time web analytics application

Package maintainers: 10

CVE-2023-47183
5.3 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): NONE
  • Integrity impact (I): LOW
  • Availability impact (A): NONE
created 3 months ago
WordPress GiveWP plugin <= 2.33.1 - Broken Access Control vulnerability

Missing Authorization vulnerability in GiveWP GiveWP allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects GiveWP: from n/a through 2.33.1.

Affected products

give
  • =<2.33.1

Matching in nixpkgs

pkgs.filegive

Easy p2p file sending program

CVE-2024-56217
4.3 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): NONE
  • Integrity impact (I): NONE
  • Availability impact (A): LOW
created 3 months ago
WordPress Download Manager plugin <= 3.3.03 - Broken Access Control vulnerability

Missing Authorization vulnerability in W3 Eden, Inc. Download Manager allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Download Manager: from n/a through 3.3.03.

Affected products

download-manager
  • =<3.3.03

Matching in nixpkgs

pkgs.lomiri.lomiri-download-manager

Performs uploads and downloads from a centralized location

Package maintainers: 1