Nixpkgs security tracker
5.4 MEDIUM
- CVSS version (CVSS): 3.1
- Attack Vector (AV): Network (N)
- Attack Complexity (AC): Low (L)
- Privileges Required (PR): Low (L)
- User Interaction (UI): Required (R)
- Scope (S): Changed (C)
- Confidentiality (C): Low (L)
- Integrity (I): Low (L)
- Availability (A): None (N)
- Modified Attack Vector (MAV): Network (N)
- Modified Attack Complexity (MAC): Low (L)
- Modified Privileges Required (MPR): Low (L)
- Modified User Interaction (MUI): Required (R)
- Modified Confidentiality (MC): Low (L)
- Modified Scope (MS): Changed (C)
- Modified Integrity (MI): Low (L)
- Modified Availability (MA): None (N)
by @LeSuisse Activity log
- Created suggestion
-
@LeSuisse
ignored
20 packages
- gravit
- antigravity
- antigravity-fhs
- stardust-xr-gravity
- kdePackages.libgravatar
- gnomeExtensions.gravatar
- haskellPackages.gravatar
- python312Packages.libgravatar
- python313Packages.libgravatar
- python314Packages.libgravatar
- python312Packages.flask-gravatar
- python313Packages.flask-gravatar
- python314Packages.flask-gravatar
- python312Packages.django-gravatar2
- python313Packages.django-gravatar2
- python314Packages.django-gravatar2
- perlPackages.MojoliciousPluginGravatar
- perl5Packages.MojoliciousPluginGravatar
- perl538Packages.MojoliciousPluginGravatar
- perl540Packages.MojoliciousPluginGravatar
- @LeSuisse accepted
- @LeSuisse published on GitHub
grav-plugin-form: XSS via Taxonomy Field Values in Admin Panel
The form plugin for Grav adds the ability to create and use forms. Prior to 9.1.0, a Stored Cross-Site Scripting (XSS) vulnerability exists in the Grav CMS Form plugin's select field template. Taxonomy tag and category values are rendered with the Twig |raw filter in the admin panel, bypassing the global autoescape protection. An editor-level user can inject arbitrary JavaScript that executes in any administrator's browser session when they view or edit any page in the admin panel. This vulnerability is fixed in 9.1.0.
References
Affected products
- ==< 2.0.0-beta.2
- ==< 9.1.0
Matching in nixpkgs
Ignored packages (20)
pkgs.gravit
Beautiful OpenGL-based gravity simulator
pkgs.antigravity
Agentic development platform, evolving the IDE into the agent-first era
pkgs.antigravity-fhs
Wrapped variant of antigravity which launches in a FHS compatible environment, should allow for easy usage of extensions without nix-specific modifications
pkgs.stardust-xr-gravity
Utility to launch apps and stardust clients at an offet
-
nixos-unstable 0-unstable-2024-12-29
- nixpkgs-unstable 0-unstable-2024-12-29
- nixos-unstable-small 0-unstable-2024-12-29
pkgs.kdePackages.libgravatar
Library that provides Gravatar support
pkgs.gnomeExtensions.gravatar
Synchronize GNOME Shell user icon with an avatar service, one of Gravatar or Libravatar.
pkgs.haskellPackages.gravatar
Generate Gravatar image URLs
pkgs.python312Packages.libgravatar
None
pkgs.python313Packages.libgravatar
Library that provides a Python 3 interface for the Gravatar API
pkgs.python314Packages.libgravatar
Library that provides a Python 3 interface for the Gravatar API
pkgs.python312Packages.flask-gravatar
None
pkgs.python313Packages.flask-gravatar
Small and simple integration of gravatar into flask
pkgs.python314Packages.flask-gravatar
Small and simple integration of gravatar into flask
pkgs.python312Packages.django-gravatar2
None
pkgs.python313Packages.django-gravatar2
Essential Gravatar support for Django
-
nixos-unstable gravatar2-1.4.5
- nixpkgs-unstable gravatar2-1.4.5
- nixos-unstable-small gravatar2-1.4.5
pkgs.python314Packages.django-gravatar2
Essential Gravatar support for Django
-
nixos-unstable gravatar2-1.4.5
- nixpkgs-unstable gravatar2-1.4.5
- nixos-unstable-small gravatar2-1.4.5
pkgs.perlPackages.MojoliciousPluginGravatar
Globally Recognized Avatars for Mojolicious
pkgs.perl5Packages.MojoliciousPluginGravatar
Globally Recognized Avatars for Mojolicious
Package maintainers
-
@rycee Robert Helgesson <robert@rycee.net>