Nixpkgs Security Tracker

Login with GitHub

Automatically generated suggestions

to slate a suggestion for refinement.

to mark a suggestion as irrelevant and log the reason.

View:
Compact
Detailed
Permalink CVE-2023-44262
5.9 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): HIGH
  • User interaction (UI): REQUIRED
  • Scope (S): CHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): LOW
  • Availability impact (A): LOW
created 6 months ago
WordPress Blocks Plugin <= 1.6.41 is vulnerable to Cross Site Scripting (XSS)

Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Renzo Johnson Blocks plugin <= 1.6.41 versions.

References

Affected products

blocks
  • =<1.6.41

Matching in nixpkgs

pkgs.i3blocks

Flexible scheduler for your i3bar blocks

  • nixos-unstable -

pkgs.codeblocks

Open source, cross platform, free C, C++ and Fortran IDE

  • nixos-unstable -

pkgs.i3blocks-gaps

Flexible scheduler for your i3bar blocks -- this is a fork to use with i3-gaps

  • nixos-unstable -

pkgs.codeblocksFull

Open source, cross platform, free C, C++ and Fortran IDE

  • nixos-unstable -
Permalink CVE-2023-46154
6.6 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): HIGH
  • Privileges required (PR): HIGH
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): HIGH
  • Availability impact (A): HIGH
created 6 months ago
WordPress e2pdf Plugin <= 1.20.18 is vulnerable to PHP Object Injection

Deserialization of Untrusted Data vulnerability in E2Pdf.Com E2Pdf – Export To Pdf Tool for WordPress.This issue affects E2Pdf – Export To Pdf Tool for WordPress: from n/a through 1.20.18.

References

Affected products

e2pdf
  • =<1.20.18

Matching in nixpkgs

Permalink CVE-2023-0459
6.5 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): NONE
  • Availability impact (A): NONE
created 6 months ago
Copy_from_user Spectre-V1 Gadget in Linux Kernel

Copy_from_user on 64-bit versions of the Linux kernel does not implement the __uaccess_begin_nospec allowing a user to bypass the "access_ok" check and pass a kernel pointer to copy_from_user(). This would allow an attacker to leak information. We recommend upgrading beyond commit 74e19ef0ff8061ef55957c3abd71614ef0f42f47

References

Affected products

kernel
  • =<74e19ef0ff8061ef55957c3abd71614ef0f42f47

Matching in nixpkgs

pkgs.linux-doc

Linux kernel html documentation

  • nixos-unstable -

pkgs.coq-kernel

None

  • nixos-unstable -
    • nixpkgs-unstable

pkgs.kernelshark

GUI for trace-cmd which is an interface for the Linux kernel ftrace subsystem

  • nixos-unstable -

Package maintainers

Permalink CVE-2023-50837
7.6 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): HIGH
  • User interaction (UI): NONE
  • Scope (S): CHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): NONE
  • Availability impact (A): LOW
created 6 months ago
WordPress Login Lockdown Plugin <= 2.06 is vulnerable to SQL Injection

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in WebFactory Ltd Login Lockdown – Protect Login Form.This issue affects Login Lockdown – Protect Login Form: from n/a through 2.06.

References

Affected products

login-lockdown
  • =<2.06

Matching in nixpkgs

Permalink CVE-2023-45064
7.1 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): REQUIRED
  • Scope (S): CHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): LOW
  • Availability impact (A): LOW
created 6 months ago
WordPress OPcache Dashboard Plugin <= 0.3.1 is vulnerable to Cross Site Scripting (XSS)

Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in Daisuke Takahashi(Extend Wings) OPcache Dashboard plugin <= 0.3.1 versions.

References

Affected products

opcache
  • =<0.3.1

Matching in nixpkgs

Package maintainers

Permalink CVE-2023-48320
5.9 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): HIGH
  • User interaction (UI): REQUIRED
  • Scope (S): CHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): LOW
  • Availability impact (A): LOW
created 6 months ago
WordPress Video Player Plugin <= 1.5.22 is vulnerable to Cross Site Scripting (XSS)

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WebDorado SpiderVPlayer allows Stored XSS.This issue affects SpiderVPlayer: from n/a through 1.5.22.

References

Affected products

player
  • =<1.5.22

Matching in nixpkgs

pkgs.smplayer

Complete front-end for MPlayer

  • nixos-unstable -

pkgs.hqplayerd

High-end upsampling multichannel software embedded HD-audio player

pkgs.playerctl

Command-line utility and library for controlling media players that implement MPRIS

  • nixos-unstable -

pkgs.miniplayer

Curses-based MPD client with basic functionality that can also display an album art

  • nixos-unstable -

pkgs.get_iplayer

Downloads TV and radio programmes from BBC iPlayer and BBC Sounds

  • nixos-unstable -

pkgs.spotify-player

Terminal spotify player that has feature parity with the official client

  • nixos-unstable -

pkgs.media-player-info

Repository of data files describing media player capabilities

  • nixos-unstable -
    • nixpkgs-unstable 26

pkgs.gnomeExtensions.quran-player

Listen to Quran recitations directly from your GNOME Shell. Features multiple reciters with audio from QuranCentral.com and Archive.org servers.

  • nixos-unstable -
    • nixpkgs-unstable 12

Package maintainers

Permalink CVE-2024-37063
7.8 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): LOCAL
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): REQUIRED
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): HIGH
  • Availability impact (A): HIGH
created 6 months ago
A cross-site scripting (XSS) vulnerability in versions 3.7.0 or newer …

A cross-site scripting (XSS) vulnerability in versions 3.7.0 or newer of Ydata's ydata-profiling open-source library allows for payloads to be run when a maliocusly crafted report is viewed in the browser.

References

Affected products

ydata-profiling
  • =<*
  • =<3.7.0

Matching in nixpkgs

Package maintainers

Permalink CVE-2023-26008
5.9 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): HIGH
  • User interaction (UI): REQUIRED
  • Scope (S): CHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): LOW
  • Availability impact (A): LOW
created 6 months ago
WordPress Top 10 Plugin <= 3.2.4 is vulnerable to Cross Site Scripting (XSS)

Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Ajay D'Souza Top 10 – Popular posts plugin for WordPress plugin <= 3.2.4 versions.

References

Affected products

top-10
  • =<3.2.4

Matching in nixpkgs

pkgs.budgie-desktop

Feature-rich, modern desktop designed to keep out the way of the user

  • nixos-unstable -

Package maintainers

Permalink CVE-2023-32551
6.1 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): REQUIRED
  • Scope (S): CHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): LOW
  • Availability impact (A): NONE
created 6 months ago
Landscape Open Redirect

Landscape allowed URLs which caused open redirection.

References

Affected products

landscape
  • <19.10.05

Matching in nixpkgs

pkgs.terraform-landscape

Improve Terraform's plan output to be easier to read and understand

  • nixos-unstable -

Package maintainers

Permalink CVE-2023-3389
7.8 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): LOCAL
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): HIGH
  • Availability impact (A): HIGH
created 6 months ago
Use after free in io_uring in the Linux Kernel

A use-after-free vulnerability in the Linux Kernel io_uring subsystem can be exploited to achieve local privilege escalation. Racing a io_uring cancel poll request with a linked timeout can cause a UAF in a hrtimer. We recommend upgrading past commit ef7dfac51d8ed961b742218f526bd589f3900a59 (4716c73b188566865bdd79c3a6709696a224ac04 for 5.10 stable and 0e388fce7aec40992eadee654193cad345d62663 for 5.15 stable).

References

Affected products

kernel
  • <6.4
  • <5.10.185

Matching in nixpkgs

pkgs.linux-doc

Linux kernel html documentation

  • nixos-unstable -

pkgs.coq-kernel

None

  • nixos-unstable -
    • nixpkgs-unstable

pkgs.kernelshark

GUI for trace-cmd which is an interface for the Linux kernel ftrace subsystem

  • nixos-unstable -

Package maintainers