Nixpkgs security tracker

Login with GitHub

Suggestions search

Published
Filter by:
With package: proftpd

Found 2 matching suggestions

View:
Compact
Detailed
Permalink CVE-2026-44331
8.1 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): High (H)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): High (H)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): High (H)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): High (H)
updated 2 weeks, 5 days ago by @LeSuisse Activity log
  • Created suggestion 2 weeks, 5 days ago
  • @LeSuisse accepted 2 weeks, 5 days ago
  • @LeSuisse published on GitHub 2 weeks, 5 days ago
In ProFTPD through 1.3.9a before 7666224, a SQL injection vulnerability …

In ProFTPD through 1.3.9a before 7666224, a SQL injection vulnerability in sqltab_fetch_clients_cb() in contrib/mod_wrap2_sql.c allows a remote attacker to inject arbitrary SQL commands via a crafted domain name that is accessed in a reverse DNS lookup. When "UseReverseDNS on" is enabled, the attacker-supplied hostname is passed unescaped into SQL queries. The character restrictions of DNS names may affect exploitability.

Affected products

ProFTPD
  • =<1.3.9a

Matching in nixpkgs

Package maintainers

Permalink CVE-2026-42167
8.1 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): High (H)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): High (H)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): High (H)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): High (H)
updated 3 weeks, 5 days ago by @LeSuisse Activity log
  • Created suggestion 3 weeks, 5 days ago
  • @LeSuisse accepted 3 weeks, 5 days ago
  • @LeSuisse published on GitHub 3 weeks, 5 days ago
mod_sql in ProFTPD before 1.3.10rc1 allows remote attackers to execute …

mod_sql in ProFTPD before 1.3.10rc1 allows remote attackers to execute arbitrary code via a username, in scenarios where there is logging of USER requests with an expansion such as %U, and the SQL backend allows commands (e.g., COPY TO PROGRAM).

Affected products

ProFTPD
  • <1.3.10rc1

Matching in nixpkgs

pkgs.proftpd

Highly configurable GPL-licensed FTP server software

Package maintainers

Backported in 1.3.9a: https://github.com/proftpd/proftpd/blob/v1.3.9a/NEWS#L53-L54