Nixpkgs Security Tracker

Untriaged

Permalink CVE-2024-58135

5.3 MEDIUM

CVSS version: 3.1
Attack vector (AV): NETWORK
Attack complexity (AC): LOW
Privileges required (PR): NONE
User interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality impact (C): LOW
Integrity impact (I): NONE
Availability impact (A): NONE

created 6 months ago

Mojolicious versions from 7.28 through 9.39 for Perl may generate weak HMAC session secrets

Mojolicious versions from 7.28 through 9.39 for Perl may generate weak HMAC session secrets. When creating a default app with the "mojo generate app" tool, a weak secret is written to the application's configuration file using the insecure rand() function, and used for authenticating and protecting the integrity of the application's sessions. This may allow an attacker to brute force the application's session keys.

References

Affected products

Mojolicious

=<*
=<9.40
=<9.39

Matching in nixpkgs

pkgs.perlPackages.Mojolicious

Real-time web framework

nixos-unstable -
- nixpkgs-unstable 9.39

pkgs.perl538Packages.Mojolicious

Real-time web framework

nixos-unstable -
- nixpkgs-unstable 9.39

pkgs.perl540Packages.Mojolicious

Real-time web framework

nixos-unstable -
- nixpkgs-unstable 9.39

pkgs.perlPackages.MojoliciousPluginI18N

Internationalization Plugin for Mojolicious

nixos-unstable -
- nixpkgs-unstable I18N-1.6

pkgs.perlPackages.MojoliciousPluginMail

Mojolicious Plugin for send mail

nixos-unstable -
- nixpkgs-unstable 1.5

pkgs.perlPackages.MojoliciousPluginStatus

Mojolicious server status

nixos-unstable -
- nixpkgs-unstable 1.17

pkgs.perlPackages.MojoliciousPluginSyslog

Plugin for enabling a Mojolicious app to log to syslog

nixos-unstable -
- nixpkgs-unstable 0.06

pkgs.perl538Packages.MojoliciousPluginI18N

Internationalization Plugin for Mojolicious

nixos-unstable -
- nixpkgs-unstable I18N-1.6

pkgs.perl538Packages.MojoliciousPluginMail

Mojolicious Plugin for send mail

nixos-unstable -
- nixpkgs-unstable 1.5

pkgs.perl540Packages.MojoliciousPluginI18N

Internationalization Plugin for Mojolicious

nixos-unstable -
- nixpkgs-unstable I18N-1.6

pkgs.perl540Packages.MojoliciousPluginMail

Mojolicious Plugin for send mail

nixos-unstable -
- nixpkgs-unstable 1.5

pkgs.perlPackages.MojoliciousPluginOpenAPI

OpenAPI / Swagger plugin for Mojolicious

nixos-unstable -
- nixpkgs-unstable 5.09

pkgs.perlPackages.MojoliciousPluginWebpack

Mojolicious <3 Webpack

nixos-unstable -
- nixpkgs-unstable 1.02

pkgs.perlPackages.MojoliciousPluginGravatar

Globally Recognized Avatars for Mojolicious

nixos-unstable -
- nixpkgs-unstable 0.04

pkgs.perl538Packages.MojoliciousPluginStatus

Mojolicious server status

nixos-unstable -
- nixpkgs-unstable 1.17

pkgs.perl538Packages.MojoliciousPluginSyslog

Plugin for enabling a Mojolicious app to log to syslog

nixos-unstable -
- nixpkgs-unstable 0.06

pkgs.perl540Packages.MojoliciousPluginStatus

Mojolicious server status

nixos-unstable -
- nixpkgs-unstable 1.17

pkgs.perl540Packages.MojoliciousPluginSyslog

Plugin for enabling a Mojolicious app to log to syslog

nixos-unstable -
- nixpkgs-unstable 0.06

pkgs.perlPackages.MojoliciousPluginAssetPack

Compress and convert css, less, sass, javascript and coffeescript files

nixos-unstable -
- nixpkgs-unstable 2.14

pkgs.perl538Packages.MojoliciousPluginOpenAPI

OpenAPI / Swagger plugin for Mojolicious

nixos-unstable -
- nixpkgs-unstable 5.09

pkgs.perl538Packages.MojoliciousPluginWebpack

Mojolicious <3 Webpack

nixos-unstable -
- nixpkgs-unstable 1.02

pkgs.perl540Packages.MojoliciousPluginOpenAPI

OpenAPI / Swagger plugin for Mojolicious

nixos-unstable -
- nixpkgs-unstable 5.09

pkgs.perl540Packages.MojoliciousPluginWebpack

Mojolicious <3 Webpack

nixos-unstable -
- nixpkgs-unstable 1.02

pkgs.perlPackages.MojoliciousPluginRenderFile

"render_file" helper for Mojolicious

nixos-unstable -
- nixpkgs-unstable 0.12

pkgs.perl538Packages.MojoliciousPluginGravatar

Globally Recognized Avatars for Mojolicious

nixos-unstable -
- nixpkgs-unstable 0.04

pkgs.perl540Packages.MojoliciousPluginGravatar

Globally Recognized Avatars for Mojolicious

nixos-unstable -
- nixpkgs-unstable 0.04

pkgs.perl538Packages.MojoliciousPluginAssetPack

Compress and convert css, less, sass, javascript and coffeescript files

nixos-unstable -
- nixpkgs-unstable 2.14

pkgs.perl540Packages.MojoliciousPluginAssetPack

Compress and convert css, less, sass, javascript and coffeescript files

nixos-unstable -
- nixpkgs-unstable 2.14

pkgs.perl538Packages.MojoliciousPluginRenderFile

"render_file" helper for Mojolicious

nixos-unstable -
- nixpkgs-unstable 0.12

pkgs.perl540Packages.MojoliciousPluginRenderFile

"render_file" helper for Mojolicious

nixos-unstable -
- nixpkgs-unstable 0.12

pkgs.perlPackages.MojoliciousPluginTextExceptions

Render exceptions as text in command line user agents

nixos-unstable -
- nixpkgs-unstable 0.02

pkgs.perlPackages.MojoliciousPluginTemplateToolkit

Template Toolkit renderer plugin for Mojolicious

nixos-unstable -
- nixpkgs-unstable 0.006

pkgs.perl538Packages.MojoliciousPluginTextExceptions

Render exceptions as text in command line user agents

nixos-unstable -
- nixpkgs-unstable 0.02

pkgs.perl540Packages.MojoliciousPluginTextExceptions

Render exceptions as text in command line user agents

nixos-unstable -
- nixpkgs-unstable 0.02

pkgs.perl538Packages.MojoliciousPluginTemplateToolkit

Template Toolkit renderer plugin for Mojolicious

nixos-unstable -
- nixpkgs-unstable 0.006

pkgs.perl540Packages.MojoliciousPluginTemplateToolkit

Template Toolkit renderer plugin for Mojolicious

nixos-unstable -
- nixpkgs-unstable 0.006

Package maintainers

@thoughtpolice Austin Seipp <aseipp@pobox.com>
@marcusramberg Marcus Ramberg <marcus@means.no>
@stigtsp Stig Palmquist <stig@stig.io>
@TomaSajt TomaSajt

Untriaged

Permalink CVE-2024-58134

8.1 HIGH

CVSS version: 3.1
Attack vector (AV): NETWORK
Attack complexity (AC): LOW
Privileges required (PR): LOW
User interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality impact (C): HIGH
Integrity impact (I): HIGH
Availability impact (A): NONE

created 6 months ago

Mojolicious versions from 0.999922 through 9.39 for Perl uses a hard coded string, or the application's class name, as a HMAC session secret by default

Mojolicious versions from 0.999922 through 9.39 for Perl uses a hard coded string, or the application's class name, as a HMAC session secret by default. These predictable default secrets can be exploited to forge session cookies. An attacker who knows or guesses the secret could compute valid HMAC signatures for the session cookie, allowing them to tamper with or hijack another user’s session.

References

Affected products

Mojolicious

=<*
=<9.40
=<9.39

Matching in nixpkgs

pkgs.perlPackages.Mojolicious

Real-time web framework

nixos-unstable -
- nixpkgs-unstable 9.39

pkgs.perl538Packages.Mojolicious

Real-time web framework

nixos-unstable -
- nixpkgs-unstable 9.39

pkgs.perl540Packages.Mojolicious

Real-time web framework

nixos-unstable -
- nixpkgs-unstable 9.39

pkgs.perlPackages.MojoliciousPluginI18N

Internationalization Plugin for Mojolicious

nixos-unstable -
- nixpkgs-unstable I18N-1.6

pkgs.perlPackages.MojoliciousPluginMail

Mojolicious Plugin for send mail

nixos-unstable -
- nixpkgs-unstable 1.5

pkgs.perlPackages.MojoliciousPluginStatus

Mojolicious server status

nixos-unstable -
- nixpkgs-unstable 1.17

pkgs.perlPackages.MojoliciousPluginSyslog

Plugin for enabling a Mojolicious app to log to syslog

nixos-unstable -
- nixpkgs-unstable 0.06

pkgs.perl538Packages.MojoliciousPluginI18N

Internationalization Plugin for Mojolicious

nixos-unstable -
- nixpkgs-unstable I18N-1.6

pkgs.perl538Packages.MojoliciousPluginMail

Mojolicious Plugin for send mail

nixos-unstable -
- nixpkgs-unstable 1.5

pkgs.perl540Packages.MojoliciousPluginI18N

Internationalization Plugin for Mojolicious

nixos-unstable -
- nixpkgs-unstable I18N-1.6

pkgs.perl540Packages.MojoliciousPluginMail

Mojolicious Plugin for send mail

nixos-unstable -
- nixpkgs-unstable 1.5

pkgs.perlPackages.MojoliciousPluginOpenAPI

OpenAPI / Swagger plugin for Mojolicious

nixos-unstable -
- nixpkgs-unstable 5.09

pkgs.perlPackages.MojoliciousPluginWebpack

Mojolicious <3 Webpack

nixos-unstable -
- nixpkgs-unstable 1.02

pkgs.perlPackages.MojoliciousPluginGravatar

Globally Recognized Avatars for Mojolicious

nixos-unstable -
- nixpkgs-unstable 0.04

pkgs.perl538Packages.MojoliciousPluginStatus

Mojolicious server status

nixos-unstable -
- nixpkgs-unstable 1.17

pkgs.perl538Packages.MojoliciousPluginSyslog

Plugin for enabling a Mojolicious app to log to syslog

nixos-unstable -
- nixpkgs-unstable 0.06

pkgs.perl540Packages.MojoliciousPluginStatus

Mojolicious server status

nixos-unstable -
- nixpkgs-unstable 1.17

pkgs.perl540Packages.MojoliciousPluginSyslog

Plugin for enabling a Mojolicious app to log to syslog

nixos-unstable -
- nixpkgs-unstable 0.06

pkgs.perlPackages.MojoliciousPluginAssetPack

Compress and convert css, less, sass, javascript and coffeescript files

nixos-unstable -
- nixpkgs-unstable 2.14

pkgs.perl538Packages.MojoliciousPluginOpenAPI

OpenAPI / Swagger plugin for Mojolicious

nixos-unstable -
- nixpkgs-unstable 5.09

pkgs.perl538Packages.MojoliciousPluginWebpack

Mojolicious <3 Webpack

nixos-unstable -
- nixpkgs-unstable 1.02

pkgs.perl540Packages.MojoliciousPluginOpenAPI

OpenAPI / Swagger plugin for Mojolicious

nixos-unstable -
- nixpkgs-unstable 5.09

pkgs.perl540Packages.MojoliciousPluginWebpack

Mojolicious <3 Webpack

nixos-unstable -
- nixpkgs-unstable 1.02

pkgs.perlPackages.MojoliciousPluginRenderFile

"render_file" helper for Mojolicious

nixos-unstable -
- nixpkgs-unstable 0.12

pkgs.perl538Packages.MojoliciousPluginGravatar

Globally Recognized Avatars for Mojolicious

nixos-unstable -
- nixpkgs-unstable 0.04

pkgs.perl540Packages.MojoliciousPluginGravatar

Globally Recognized Avatars for Mojolicious

nixos-unstable -
- nixpkgs-unstable 0.04

pkgs.perl538Packages.MojoliciousPluginAssetPack

Compress and convert css, less, sass, javascript and coffeescript files

nixos-unstable -
- nixpkgs-unstable 2.14

pkgs.perl540Packages.MojoliciousPluginAssetPack

Compress and convert css, less, sass, javascript and coffeescript files

nixos-unstable -
- nixpkgs-unstable 2.14

pkgs.perl538Packages.MojoliciousPluginRenderFile

"render_file" helper for Mojolicious

nixos-unstable -
- nixpkgs-unstable 0.12

pkgs.perl540Packages.MojoliciousPluginRenderFile

"render_file" helper for Mojolicious

nixos-unstable -
- nixpkgs-unstable 0.12

pkgs.perlPackages.MojoliciousPluginTextExceptions

Render exceptions as text in command line user agents

nixos-unstable -
- nixpkgs-unstable 0.02

pkgs.perlPackages.MojoliciousPluginTemplateToolkit

Template Toolkit renderer plugin for Mojolicious

nixos-unstable -
- nixpkgs-unstable 0.006

pkgs.perl538Packages.MojoliciousPluginTextExceptions

Render exceptions as text in command line user agents

nixos-unstable -
- nixpkgs-unstable 0.02

pkgs.perl540Packages.MojoliciousPluginTextExceptions

Render exceptions as text in command line user agents

nixos-unstable -
- nixpkgs-unstable 0.02

pkgs.perl538Packages.MojoliciousPluginTemplateToolkit

Template Toolkit renderer plugin for Mojolicious

nixos-unstable -
- nixpkgs-unstable 0.006

pkgs.perl540Packages.MojoliciousPluginTemplateToolkit

Template Toolkit renderer plugin for Mojolicious

nixos-unstable -
- nixpkgs-unstable 0.006

Package maintainers

@thoughtpolice Austin Seipp <aseipp@pobox.com>
@marcusramberg Marcus Ramberg <marcus@means.no>
@stigtsp Stig Palmquist <stig@stig.io>
@TomaSajt TomaSajt

Untriaged

Permalink CVE-2024-7202

9.8 CRITICAL

CVSS version: 3.1
Attack vector (AV): NETWORK
Attack complexity (AC): LOW
Privileges required (PR): NONE
User interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality impact (C): HIGH
Integrity impact (I): HIGH
Availability impact (A): HIGH

created 6 months ago

Simopro Technology WinMatrix3 Web package - SQL Injection

The query functionality of WinMatrix3 Web package from Simopro Technology lacks proper validation of user input, allowing unauthenticated remote attackers to inject SQL commands to read, modify, and delete database contents.

References

https://www.twcert.org.tw/en/cp-139-7963-44648-2.html vendor-advisory
https://www.twcert.org.tw/tw/cp-132-7962-dd216-1.html vendor-advisory
https://www.twcert.org.tw/tw/cp-132-7962-dd216-1.html vendor-advisory
https://www.twcert.org.tw/en/cp-139-7963-44648-2.html vendor-advisory
https://www.twcert.org.tw/tw/cp-132-7962-dd216-1.html vendor-advisory
https://www.twcert.org.tw/en/cp-139-7963-44648-2.html vendor-advisory
https://www.twcert.org.tw/tw/cp-132-7962-dd216-1.html vendor-advisory x_transferred
https://www.twcert.org.tw/en/cp-139-7963-44648-2.html vendor-advisory x_transferred

Affected products

Web

=<1.2.35.3

winmatrix3

=<1.2.35.3

Matching in nixpkgs

pkgs.DisnixWebService

SOAP interface and client for Disnix

nixos-unstable -
- nixpkgs-unstable 0.10.1

pkgs.perlPackages.WebMachine

Perl port of Webmachine

nixos-unstable -
- nixpkgs-unstable 0.17

pkgs.perlPackages.WebScraper

Web Scraping Toolkit using HTML and CSS Selectors or XPath expressions

nixos-unstable -
- nixpkgs-unstable 0.38

pkgs.perlPackages.MusicBrainz

API to search the musicbrainz.org database

nixos-unstable -
- nixpkgs-unstable 1.0.6

pkgs.perlPackages.JSONWebToken

JSON Web Token (JWT) implementation

nixos-unstable -
- nixpkgs-unstable 0.10

pkgs.perl538Packages.WebMachine

Perl port of Webmachine

nixos-unstable -
- nixpkgs-unstable 0.17

pkgs.perl538Packages.WebScraper

Web Scraping Toolkit using HTML and CSS Selectors or XPath expressions

nixos-unstable -
- nixpkgs-unstable 0.38

pkgs.perl540Packages.WebMachine

Perl port of Webmachine

nixos-unstable -
- nixpkgs-unstable 0.17

pkgs.perl540Packages.WebScraper

Web Scraping Toolkit using HTML and CSS Selectors or XPath expressions

nixos-unstable -
- nixpkgs-unstable 0.38

pkgs.perl538Packages.MusicBrainz

API to search the musicbrainz.org database

nixos-unstable -
- nixpkgs-unstable 1.0.6

pkgs.perl540Packages.MusicBrainz

API to search the musicbrainz.org database

nixos-unstable -
- nixpkgs-unstable 1.0.6

pkgs.perl538Packages.JSONWebToken

JSON Web Token (JWT) implementation

nixos-unstable -
- nixpkgs-unstable 0.10

pkgs.perl540Packages.JSONWebToken

JSON Web Token (JWT) implementation

nixos-unstable -
- nixpkgs-unstable 0.10

pkgs.perlPackages.WebServiceLinode

Perl Interface to the Linode.com API

nixos-unstable -
- nixpkgs-unstable 0.29

pkgs.perlPackages.NetAsyncWebSocket

Use WebSockets with IO::Async

nixos-unstable -
- nixpkgs-unstable 0.14

pkgs.perlPackages.ProtocolWebSocket

WebSocket protocol

nixos-unstable -
- nixpkgs-unstable 0.26

pkgs.perl538Packages.WebServiceLinode

Perl Interface to the Linode.com API

nixos-unstable -
- nixpkgs-unstable 0.29

pkgs.perl540Packages.WebServiceLinode

Perl Interface to the Linode.com API

nixos-unstable -
- nixpkgs-unstable 0.29

pkgs.perl538Packages.NetAsyncWebSocket

Use WebSockets with IO::Async

nixos-unstable -
- nixpkgs-unstable 0.14

pkgs.perl538Packages.ProtocolWebSocket

WebSocket protocol

nixos-unstable -
- nixpkgs-unstable 0.26

pkgs.perl540Packages.NetAsyncWebSocket

Use WebSockets with IO::Async

nixos-unstable -
- nixpkgs-unstable 0.14

pkgs.perl540Packages.ProtocolWebSocket

WebSocket protocol

nixos-unstable -
- nixpkgs-unstable 0.26

pkgs.perlPackages.MojoliciousPluginWebpack

Mojolicious <3 Webpack

nixos-unstable -
- nixpkgs-unstable 1.02

pkgs.perlPackages.WebServiceValidatorHTMLW3C

Access the W3Cs online HTML validator

nixos-unstable -
- nixpkgs-unstable W3C-0.28

pkgs.perl538Packages.MojoliciousPluginWebpack

Mojolicious <3 Webpack

nixos-unstable -
- nixpkgs-unstable 1.02

pkgs.perl540Packages.MojoliciousPluginWebpack

Mojolicious <3 Webpack

nixos-unstable -
- nixpkgs-unstable 1.02

pkgs.perl538Packages.WebServiceValidatorHTMLW3C

Access the W3Cs online HTML validator

nixos-unstable -
- nixpkgs-unstable W3C-0.28

pkgs.perl540Packages.WebServiceValidatorHTMLW3C

Access the W3Cs online HTML validator

nixos-unstable -
- nixpkgs-unstable W3C-0.28

pkgs.vscode-extensions.amazonwebservices.amazon-q-vscode

Amazon Q, CodeCatalyst, Local Lambda debug, SAM/CFN syntax, ECS Terminal, AWS resources

nixos-unstable -
- nixpkgs-unstable 1.93.0

Package maintainers

@svanderburg Sander van der Burg <s.vanderburg@tudelft.nl>
@stigtsp Stig Palmquist <stig@stig.io>
@zakame Zak B. Elep <zakame@zakame.net>

Untriaged

Permalink CVE-2024-7201

9.8 CRITICAL

CVSS version: 3.1
Attack vector (AV): NETWORK
Attack complexity (AC): LOW
Privileges required (PR): NONE
User interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality impact (C): HIGH
Integrity impact (I): HIGH
Availability impact (A): HIGH

created 6 months ago

Simopro Technology WinMatrix3 Web package - SQL Injection

The login functionality of WinMatrix3 Web package from Simopro Technology lacks proper validation of user input, allowing unauthenticated remote attackers to inject SQL commands to read, modify, and delete database contents.