Nixpkgs Security Tracker

Login with GitHub

Automatically generated suggestions

to queue a suggestion for refinement.

to remove a suggestion from the queue.

CVE-2024-54245
6.5 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): REQUIRED
  • Scope (S): CHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): LOW
  • Availability impact (A): LOW
created 3 months ago
WordPress Clients plugin <= 1.1.4 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Think201 Clients allows Stored XSS.This issue affects Clients: from n/a through 1.1.4.

Affected products

clients
  • =<1.1.4

Matching in nixpkgs

pkgs.xlsclients

Utility to list client applications running on a X11 display

pkgs.argus-clients

Clients for ARGUS

pkgs.xorg.xlsclients

Utility to list client applications running on a X11 display

pkgs.haskellPackages.clientsession

Securely store session data in a client-side cookie

pkgs.haskellPackages.wai-session-clientsession

Session store based on clientsession

Package maintainers: 1

CVE-2023-38383
5.4 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): NONE
  • Integrity impact (I): LOW
  • Availability impact (A): LOW
created 3 months ago
WordPress Language plugin <= 1.2.1 - Broken Access Control vulnerability

Missing Authorization vulnerability in OnTheGoSystems Language allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Language: from n/a through 1.2.1.

Affected products

wordpress-language
  • =<1.2.1

Matching in nixpkgs

pkgs.wordpressPackages.languages.de_DE

pkgs.wordpressPackages.languages.fr_FR

pkgs.wordpressPackages.languages.ro_RO

pkgs.wordpressPackages.languages.ru_RU

CVE-2024-54322
7.1 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): REQUIRED
  • Scope (S): CHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): LOW
  • Availability impact (A): LOW
created 3 months ago
WordPress Media Downloader plugin <= 0.4.7.4 - Reflected Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Ederson Peka Media Downloader allows Reflected XSS.This issue affects Media Downloader: from n/a through 0.4.7.4.

Affected products

media-downloader
  • =<0.4.7.4

Matching in nixpkgs

pkgs.media-downloader

Qt/C++ GUI front end for yt-dlp and others

Package maintainers: 2

CVE-2024-8698
7.7 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): HIGH
  • Privileges required (PR): LOW
  • User interaction (UI): NONE
  • Scope (S): CHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): LOW
  • Availability impact (A): LOW
created 3 months ago
Keycloak-saml-core: improper verification of saml responses leading to privilege escalation in keycloak

A flaw exists in the SAML signature validation method within the Keycloak XMLSignatureUtil class. The method incorrectly determines whether a SAML signature is for the full document or only for specific assertions based on the position of the signature in the XML document, rather than the Reference element used to specify the signed element. This flaw allows attackers to create crafted responses that can bypass the validation, potentially leading to privilege escalation or impersonation attacks.

Affected products

keycloak
  • <25.0.5
eap8-hppc
  • *
eap8-log4j
  • *
eap8-slf4j
  • *
eap8-jctools
  • *
eap8-jgroups
  • *
eap8-wildfly
  • *
eap8-narayana
  • *
eap8-asyncutil
  • *
eap8-hibernate
  • *
eap8-saaj-impl
  • *
eap8-snakeyaml
  • *
eap8-apache-cxf
  • *
eap8-cryptacular
  • *
eap8-fastinfoset
  • *
rh-sso7-keycloak
  • *
eap8-aws-java-sdk
  • *
eap8-pem-keystore
  • *
eap8-aesh-readline
  • *
eap8-jboss-logging
  • *
eap8-objectweb-asm
  • *
eap8-artemis-native
  • *
rhbk/keycloak-rhel9
  • *
eap8-aesh-extensions
  • *
eap8-nimbus-jose-jwt
  • *
eap8-resteasy-spring
  • *
eap8-activemq-artemis
  • *
eap8-apache-commons-io
  • *
eap8-jboss-cert-helper
  • *
eap8-apache-commons-lang
  • *
eap8-hibernate-validator
  • *
eap8-resteasy-extensions
  • *
eap8-apache-commons-codec
  • *
eap8-insights-java-client
  • *
keycloak-saml-core-public
eap8-activemq-artemis-native
  • *
eap8-eap-product-conf-parent
  • *
eap8-shibboleth-java-support
  • *
org.keycloak-keycloak-parent
rhbk/keycloak-rhel9-operator
  • *
rhbk/keycloak-operator-bundle
  • *
rh-sso-7/sso76-openshift-rhel8
  • *
eap8-apache-commons-collections
  • *
org.keycloak/keycloak-saml-core
eap8-artemis-wildfly-integration
  • *
eap8-jakarta-servlet-jsp-jstl-api
  • *
org.keycloak/keycloak-saml-core-public

Matching in nixpkgs

pkgs.keycloak

Identity and access management for modern applications and services

pkgs.terraform-providers.keycloak

pkgs.python312Packages.python-keycloak

Provides access to the Keycloak API

pkgs.python313Packages.python-keycloak

Provides access to the Keycloak API

Package maintainers: 4

CVE-2023-49845
5.3 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): NONE
  • Integrity impact (I): LOW
  • Availability impact (A): NONE
created 3 months ago
WordPress Redirects plugin <= 1.2.1 - Broken Access Control vulnerability

Missing Authorization vulnerability in Loud Dog Redirects allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Redirects: from n/a through 1.2.1.

Affected products

redirects
  • =<1.2.1

Matching in nixpkgs

pkgs.nixos-render-docs-redirects

Redirects manipulation for nixos manuals

pkgs.python312Packages.mkdocs-redirects

Open source plugin for Mkdocs page redirects

pkgs.python313Packages.mkdocs-redirects

Open source plugin for Mkdocs page redirects

pkgs.python312Packages.sphinx-reredirects

Handles redirects for moved pages in Sphinx documentation projects

pkgs.python313Packages.sphinx-reredirects

Handles redirects for moved pages in Sphinx documentation projects

Package maintainers: 2

CVE-2023-30486
4.3 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): NONE
  • Integrity impact (I): LOW
  • Availability impact (A): NONE
created 3 months ago
WordPress Square theme <= 2.0.0 - Broken Access Control

Missing Authorization vulnerability in HashThemes Square allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Square: from n/a through 2.0.0.

Affected products

square
  • =<2.0.0

Matching in nixpkgs

pkgs.kreative-square

Fullwidth scalable monospace font designed specifically to support pseudographics, semigraphics, and private use characters

pkgs.kdePackages.ksquares

KSquares is modeled after the well known pen and paper based game of Dots and Boxes

pkgs.haskellPackages.squares

The double category of Hask functors and profunctors

pkgs.numix-icon-theme-square

Numix icon theme (square version)

pkgs.python312Packages.pylink-square

Python interface for the SEGGER J-Link

pkgs.python313Packages.pylink-square

Python interface for the SEGGER J-Link

Package maintainers: 11

CVE-2023-25993
4.3 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): NONE
  • Integrity impact (I): LOW
  • Availability impact (A): NONE
created 3 months ago
WordPress Top 10 – Popular posts plugin for WordPress plugin <= 3.2.3 - Broken Access Control vulnerability

Missing Authorization vulnerability in WebberZone Top 10 allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Top 10: from n/a through 3.2.3.

Affected products

top-10
  • =<3.2.3

Matching in nixpkgs

pkgs.budgie-desktop

Feature-rich, modern desktop designed to keep out the way of the user

pkgs.gnomeExtensions.serenity-desktop

A Per-Monitor-Workspace window manager designed for productive use. It offers two main features:

Package maintainers: 3

CVE-2023-50882
5.3 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): NONE
  • Availability impact (A): NONE
created 3 months ago
WordPress ProfilePress plugin <= 4.13.2 - Broken Access Control vulnerability

Missing Authorization vulnerability in ProfilePress Membership Team ProfilePress allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects ProfilePress: from n/a through 4.13.2.

Affected products

wp-user-avatar
  • =<4.13.2

Matching in nixpkgs

pkgs.wordpressPackages.plugins.wp-user-avatars

CVE-2024-11991
5.6 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): HIGH
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): LOW
  • Availability impact (A): LOW
created 3 months ago
Uninitialized memory access in Motoko incremental garbage collector

Motoko's incremental garbage collector is impacted by an uninitialized memory access bug, caused by incorrect use of write barriers in a few locations. This vulnerability could potentially allow unauthorized read or write access to a Canister's memory. However, exploiting this bug requires the Canister to enable the incremental garbage collector or enhanced orthogonal persistence, which are non-default features in Motoko.

Affected products

moc
  • =<0.13.3

Matching in nixpkgs

pkgs.amoco

Tool for analysing binaries

pkgs.mochi

Simple markdown-powered SRS app

pkgs.umoci

Modifies Open Container images

pkgs.cmocka

Lightweight library to simplify and generalize unit tests for C

pkgs.emocli

Emoji picker for your command line

pkgs.cosmocc

Compilers for Cosmopolitan C/C++ programs

pkgs.mockgen

Mocking framework for the Go programming language

pkgs.mockoon

Easiest and quickest way to run mock APIs locally

pkgs.teamocil

Simple tool used to automatically create windows and panes in tmux with YAML files

pkgs.umockdev

Mock hardware devices for creating unit tests

pkgs.wiremock

Flexible tool for building mock APIs

pkgs.uhttpmock

Project for mocking web service APIs which use HTTP or HTTPS

pkgs.go-mockery

Mock code autogenerator for Golang

pkgs.go-minimock

Golang mock generator from interfaces

pkgs.libosmocore

Set of Osmocom core libraries

pkgs.mockobjects

Generic unit testing framework and methodology for testing any kind of code

pkgs.libqtdbusmock

Library for mocking DBus interactions using Qt

pkgs.uhttpmock_1_0

Project for mocking web service APIs which use HTTP or HTTPS

pkgs.rtl-sdr-osmocom

Software to turn the RTL2832U into a SDR receiver

pkgs.ec2-metadata-mock

Amazon EC2 Metadata Mock

pkgs.nodePackages.mocha

simple, flexible, fun test framework

pkgs.python312Packages.mock

Rolling backport of unittest.mock for all Pythons

pkgs.python313Packages.mock

Rolling backport of unittest.mock for all Pythons

pkgs.haskellPackages.mockcat

Mock library for test in Haskell

pkgs.haskellPackages.mockery

Support functions for automated testing

pkgs.haskellPackages.shamochu

“Shuffle and merge overlapping chunks” lossless compression

pkgs.python312Packages.mocket

Socket mock framework for all kinds of sockets including web-clients

pkgs.python312Packages.mockfs

Simple mock filesystem for use in unit tests

pkgs.python313Packages.mocket

Socket mock framework for all kinds of sockets including web-clients

pkgs.python313Packages.mockfs

Simple mock filesystem for use in unit tests

pkgs.rubyPackages.rspec-mocks

pkgs.gnomeExtensions.mock-tray

Creates an invisible system tray (TopIcons) for apps (like MEGAsync) that won't run properly without one.

pkgs.haskellPackages.http-mock

HTTP mocking and expectations library for Haskell

pkgs.haskellPackages.mock-time

Mock time in tests

pkgs.nodePackages_latest.mocha

simple, flexible, fun test framework

pkgs.python312Packages.httmock

Mocking library for requests

pkgs.python312Packages.mockito

Spying framework

pkgs.python313Packages.httmock

Mocking library for requests

pkgs.python313Packages.mockito

Spying framework

pkgs.python312Packages.flexmock

Testing library that makes it easy to create mocks,stubs and fakes

pkgs.python312Packages.minimock

Minimalistic mocking library

pkgs.python312Packages.pymochad

Python library for sending commands to the mochad TCP gateway daemon for the X10 CMA15A controller

pkgs.python313Packages.flexmock

Testing library that makes it easy to create mocks,stubs and fakes

pkgs.python313Packages.minimock

Minimalistic mocking library

pkgs.python313Packages.pymochad

Python library for sending commands to the mochad TCP gateway daemon for the X10 CMA15A controller

pkgs.python312Packages.mock-open

Better mock for file I/O

pkgs.python312Packages.mongomock

Fake pymongo stub for testing simple MongoDB-dependent code

pkgs.python313Packages.mock-open

Better mock for file I/O

pkgs.python313Packages.mongomock

Fake pymongo stub for testing simple MongoDB-dependent code

pkgs.python312Packages.types-mock

Type stub package for the mock package

pkgs.python313Packages.types-mock

Type stub package for the mock package

pkgs.rubyPackages_3_1.rspec-mocks

pkgs.rubyPackages_3_2.rspec-mocks

pkgs.rubyPackages_3_3.rspec-mocks

pkgs.rubyPackages_3_4.rspec-mocks

pkgs.haskellPackages.typeable-mock

Mock functions and expressions anywhere

pkgs.python312Packages.mock-django

Simple library for mocking certain Django behavior, such as the ORM

pkgs.python312Packages.pytest-mock

Thin wrapper around the mock package for easier use with pytest

pkgs.python313Packages.mock-django

Simple library for mocking certain Django behavior, such as the ORM

pkgs.python313Packages.pytest-mock

Thin wrapper around the mock package for easier use with pytest

pkgs.haskellPackages.polysemy-mocks

Mocking framework for polysemy effects

pkgs.python312Packages.mock-services

Mock an entire service API based on requests-mock

pkgs.python312Packages.requests-mock

Mock out responses from the requests package

pkgs.python313Packages.mock-services

Mock an entire service API based on requests-mock

pkgs.python313Packages.requests-mock

Mock out responses from the requests package

pkgs.python312Packages.pytest-mockito

Base fixtures for mockito

pkgs.python313Packages.pytest-mockito

Base fixtures for mockito

pkgs.python312Packages.mock-ssh-server

Python mock SSH server for testing purposes

pkgs.python312Packages.python-dbusmock

Mock D-Bus objects for tests

pkgs.python313Packages.mock-ssh-server

Python mock SSH server for testing purposes

pkgs.python313Packages.python-dbusmock

Mock D-Bus objects for tests

pkgs.haskellPackages.data-memocombinators

Combinators for building memo tables

pkgs.python312Packages.pytest-mockservers

Set of fixtures to test your requests to HTTP/UDP servers

pkgs.python313Packages.pytest-mockservers

Set of fixtures to test your requests to HTTP/UDP servers

pkgs.home-assistant-component-tests.mochad

Open source home automation that puts local control and privacy first

Package maintainers: 40

CVE-2024-54225
7.5 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): HIGH
  • Privileges required (PR): LOW
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): HIGH
  • Availability impact (A): HIGH
created 3 months ago
WordPress Designer plugin <= 1.3.3 - Local File Inclusion vulnerability

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in CodegearThemes Designer allows PHP Local File Inclusion.This issue affects Designer: from n/a through 1.3.3.

Affected products

designer
  • =<1.3.3

Matching in nixpkgs

pkgs.libsForQt5.kdesignerplugin

pkgs.plasma5Packages.kdesignerplugin

Package maintainers: 2