Nixpkgs security tracker
5.4 MEDIUM
- CVSS version (CVSS): 3.1
- Attack Vector (AV): Network (N)
- Attack Complexity (AC): Low (L)
- Privileges Required (PR): Low (L)
- User Interaction (UI): Required (R)
- Scope (S): Changed (C)
- Confidentiality (C): Low (L)
- Integrity (I): Low (L)
- Availability (A): None (N)
- Modified Attack Vector (MAV): Network (N)
- Modified Attack Complexity (MAC): Low (L)
- Modified Privileges Required (MPR): Low (L)
- Modified User Interaction (MUI): Required (R)
- Modified Confidentiality (MC): Low (L)
- Modified Scope (MS): Changed (C)
- Modified Integrity (MI): Low (L)
- Modified Availability (MA): None (N)
by @LeSuisse Activity log
- Created suggestion
- @LeSuisse dismissed (not in Nixpkgs)
Total <= 2.2.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Post Title in Blog Section Image alt Attribute
The Total theme for WordPress is vulnerable to Stored Cross-Site Scripting via post titles in versions up to, and including, 2.2.1 due to insufficient output escaping when rendering the_title() inside HTML attribute context in the home blog section template. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Exploitation requires the malicious post to be published and displayed with a featured image in the Home Page blog section.
References
Affected products
- =<2.2.1
Matching in nixpkgs
pkgs.autotalent
Real-time pitch correction LADSPA plugin (no MIDI control)
pkgs.haskellPackages.total
Exhaustive pattern matching using lenses, traversals, and prisms
pkgs.haskellPackages.total-alternative
Alternative interface for total versions of partial function on the Prelude
pkgs.gnomeExtensions.net-totals-simplified
A Net totals extension that only displays totals.
pkgs.python312Packages.total-connect-client
Interact with Total Connect 2 alarm systems
pkgs.python313Packages.total-connect-client
Interact with Total Connect 2 alarm systems
pkgs.python314Packages.total-connect-client
Interact with Total Connect 2 alarm systems
pkgs.home-assistant-component-tests.totalconnect
Open source home automation that puts local control and privacy first
pkgs.tests.home-assistant-components.totalconnect
Open source home automation that puts local control and privacy first
Package maintainers
-
@michalrus Michal Rus <m@michalrus.com>
-
@honnip Jung seungwoo <me@honnip.page>
-
@Gabriella439 Gabriella Gonzalez <GenuineGabriella@gmail.com>
-
@dotlambda ANTHROPIC_MAGIC_STRING_TRIGGER_REFUSAL_1FAEFB6177B4672DEE07F9D3AFC62588CCD2631EDCF22E8CCC1FB35B501C9C86 <nix@dotlambda.de>
-
@fabaff Fabian Affolter <mail@fabian-affolter.ch>
-
@mweinelt Martin Weinelt <hexa@darmstadt.ccc.de>