⚠️ You are using a production deployment that is still only suitable for demo purposes.
Any work done in this might be wiped later without notice.
Accepted suggestions
to create a Nixpkgs security record and open a GitHub issue for tracking resolution. This action will notify maintainers and package subscribers, and cannot be revoked.
updated 1 year, 1 month ago
by @LeSuisseActivity log
Created automatic suggestion
1 year, 1 month ago
@LeSuisseaccepted
1 year, 1 month ago
Keycloak: unguarded admin rest api endpoints allows low privilege users to use administrative functionalities
A flaw was found in Keycloak. Certain endpoints in Keycloak's admin REST API allow low-privilege users to access administrative functionalities. This flaw allows users to perform actions reserved for administrators, potentially leading to data breaches or system compromise.
Affected products
keycloak
<24.0.5
Red Hat Single Sign-On 7
Red Hat Build of Keycloak
org.keycloak-keycloak-parent
Matching in nixpkgs
pkgs.keycloak
Identity and access management for modern applications and services
updated 1 year, 1 month ago
by @LeSuisseActivity log
Created automatic suggestion
1 year, 1 month ago
@LeSuisseaccepted
1 year, 1 month ago
Moodle: unprotected access to sensitive information via dynamic tables
A flaw was found in Moodle. Dynamic tables did not enforce capability checks, which resulted in users having the ability to retrieve information they did not have permission to access.
Affected products
moodle
<4.2.10
<4.4.3
<4.3.7
<4.1.13
Matching in nixpkgs
pkgs.moodle
Free and open-source learning management system (LMS) written in PHP
updated 1 year, 1 month ago
by @LeSuisseActivity log
Created automatic suggestion
1 year, 1 month ago
@LeSuisseaccepted
1 year, 1 month ago
Moodle: idor in edit/delete rss feed
A vulnerability was found in Moodle. Additional checks are required to ensure users can only edit or delete RSS feeds that they have permission to modify.
Affected products
moodle
<4.4.4
<4.2.11
<4.1.0
<4.3.8
<4.1.14
Matching in nixpkgs
pkgs.moodle
Free and open-source learning management system (LMS) written in PHP
updated 1 year, 1 month ago
by @LeSuisseActivity log
Created automatic suggestion
1 year, 1 month ago
@LeSuisseaccepted
1 year, 1 month ago
Libopensc: heap buffer overflow in openpgp driver when generating key
A heap-based buffer overflow vulnerability was found in the libopensc OpenPGP driver. A crafted USB device or smart card with malicious responses to the APDUs during the card enrollment process using the `pkcs15-init` tool may lead to out-of-bound rights, possibly resulting in arbitrary code execution.
Affected products
opensc
<0.26.0
Matching in nixpkgs
pkgs.opensc
Set of libraries and utilities to access smart cards
updated 1 year, 1 month ago
by @LeSuisseActivity log
Created automatic suggestion
1 year, 1 month ago
@LeSuisseaccepted
1 year, 1 month ago
Moodle: users' names returned in messaging error message
A vulnerability was found in Moodle. It is possible for users with the "send message" capability to view other users' names that they may not otherwise have access to via an error message in Messaging. Note: The name returned follows the full name format configured on the site.
Affected products
moodle
<4.4.4
<4.2.11
<4.1.0
<4.3.8
<4.1.14
Matching in nixpkgs
pkgs.moodle
Free and open-source learning management system (LMS) written in PHP
updated 1 year, 1 month ago
by @fricklerhandwerkActivity log
Created automatic suggestion
1 year, 1 month ago
@fricklerhandwerkaccepted
1 year, 1 month ago
Moodle: some users can delete audiences of other reports
A vulnerability was found in Moodle. Users with access to delete audiences from reports could delete audiences from other reports that they do not have permission to delete from.
Affected products
moodle
<4.4.4
<4.2.11
<4.1.0
<4.3.8
<4.1.14
Matching in nixpkgs
pkgs.moodle
Free and open-source learning management system (LMS) written in PHP
updated 1 year, 1 month ago
by @fricklerhandwerkActivity log
Created automatic suggestion
1 year, 1 month ago
@fricklerhandwerkaccepted
1 year, 1 month ago
Moodle: idor when accessing list of badge recipients
A vulnerability was found in Moodle. Additional checks are required to ensure users with permission to view badge recipients can only access lists of those they are intended to have access to.
Affected products
moodle
<4.4.4
Matching in nixpkgs
pkgs.moodle
Free and open-source learning management system (LMS) written in PHP
updated 1 year, 1 month ago
by @fricklerhandwerkActivity log
Created automatic suggestion
1 year, 1 month ago
@fricklerhandwerkaccepted
1 year, 1 month ago
Moodle: idor when fetching report schedules
A vulnerability was found in Moodle. Additional checks are required to ensure users can only access the schedule of a report if they have permission to edit that report.
Affected products
moodle
<4.4.4
<4.2.11
<4.1.0
<4.3.8
<4.1.14
Matching in nixpkgs
pkgs.moodle
Free and open-source learning management system (LMS) written in PHP
updated 1 year, 1 month ago
by @fricklerhandwerkActivity log
Created automatic suggestion
1 year, 1 month ago
@fricklerhandwerkaccepted
1 year, 1 month ago
Qemu-kvm: information leak in virtio devices
A flaw was found in QEMU, in the virtio-scsi, virtio-blk, and virtio-crypto devices. The size for virtqueue_push as set in virtio_scsi_complete_req / virtio_blk_req_complete / virito_crypto_req_complete could be larger than the true size of the data which has been sent to guest. Once virtqueue_push() finally calls dma_memory_unmap to ummap the in_iov, it may call the address_space_write function to write back the data. Some uninitialized data may exist in the bounce.buffer, leading to an information leak.
Affected products
qemu
*
qemu-kvm
qemu-kvm-ma
virt:av/qemu-kvm
virt:rhel/qemu-kvm
Matching in nixpkgs
pkgs.qemu
Generic and open source machine emulator and virtualizer