Nixpkgs security tracker
8.9 HIGH
- CVSS version (CVSS): 3.1
- Attack Vector (AV): Network (N)
- Attack Complexity (AC): Low (L)
- Privileges Required (PR): Low (L)
- User Interaction (UI): Required (R)
- Scope (S): Changed (C)
- Confidentiality (C): High (H)
- Integrity (I): Low (L)
- Availability (A): High (H)
- Modified Attack Vector (MAV): Network (N)
- Modified Attack Complexity (MAC): Low (L)
- Modified Privileges Required (MPR): Low (L)
- Modified User Interaction (MUI): Required (R)
- Modified Confidentiality (MC): High (H)
- Modified Scope (MS): Changed (C)
- Modified Integrity (MI): Low (L)
- Modified Availability (MA): High (H)
by @LeSuisse Activity log
- Created suggestion
-
@LeSuisse
ignored
20 packages
- gravit
- antigravity
- antigravity-fhs
- stardust-xr-gravity
- kdePackages.libgravatar
- gnomeExtensions.gravatar
- haskellPackages.gravatar
- python312Packages.libgravatar
- python313Packages.libgravatar
- python314Packages.libgravatar
- python312Packages.flask-gravatar
- python313Packages.flask-gravatar
- python314Packages.flask-gravatar
- python312Packages.django-gravatar2
- python313Packages.django-gravatar2
- python314Packages.django-gravatar2
- perlPackages.MojoliciousPluginGravatar
- perl5Packages.MojoliciousPluginGravatar
- perl538Packages.MojoliciousPluginGravatar
- perl540Packages.MojoliciousPluginGravatar
- @LeSuisse accepted
- @LeSuisse published on GitHub
Grav: Stored XSS via Tag Injection
Grav is a file-based Web platform. Prior to 2.0.0-beta.2, a low-privileged (with the ability to create a page) user can cause XSS with the injection of svg element. The XSS can further be escalated to dump the entire system information available under /admin/config/info whenever a Super Admin visits the page; which can further be chained with the use of admin-nonce to do a complete server compromise (RCE). This vulnerability is fixed in 2.0.0-beta.2.
References
Affected products
- ==< 2.0.0-beta.2
Matching in nixpkgs
Ignored packages (20)
pkgs.gravit
Beautiful OpenGL-based gravity simulator
pkgs.antigravity
Agentic development platform, evolving the IDE into the agent-first era
pkgs.antigravity-fhs
Wrapped variant of antigravity which launches in a FHS compatible environment, should allow for easy usage of extensions without nix-specific modifications
pkgs.stardust-xr-gravity
Utility to launch apps and stardust clients at an offet
-
nixos-unstable 0-unstable-2024-12-29
- nixpkgs-unstable 0-unstable-2024-12-29
- nixos-unstable-small 0-unstable-2024-12-29
pkgs.kdePackages.libgravatar
Library that provides Gravatar support
pkgs.gnomeExtensions.gravatar
Synchronize GNOME Shell user icon with an avatar service, one of Gravatar or Libravatar.
pkgs.haskellPackages.gravatar
Generate Gravatar image URLs
pkgs.python312Packages.libgravatar
None
pkgs.python313Packages.libgravatar
Library that provides a Python 3 interface for the Gravatar API
pkgs.python314Packages.libgravatar
Library that provides a Python 3 interface for the Gravatar API
pkgs.python312Packages.flask-gravatar
None
pkgs.python313Packages.flask-gravatar
Small and simple integration of gravatar into flask
pkgs.python314Packages.flask-gravatar
Small and simple integration of gravatar into flask
pkgs.python312Packages.django-gravatar2
None
pkgs.python313Packages.django-gravatar2
Essential Gravatar support for Django
-
nixos-unstable gravatar2-1.4.5
- nixpkgs-unstable gravatar2-1.4.5
- nixos-unstable-small gravatar2-1.4.5
pkgs.python314Packages.django-gravatar2
Essential Gravatar support for Django
-
nixos-unstable gravatar2-1.4.5
- nixpkgs-unstable gravatar2-1.4.5
- nixos-unstable-small gravatar2-1.4.5
pkgs.perlPackages.MojoliciousPluginGravatar
Globally Recognized Avatars for Mojolicious
pkgs.perl5Packages.MojoliciousPluginGravatar
Globally Recognized Avatars for Mojolicious
Package maintainers
-
@rycee Robert Helgesson <robert@rycee.net>