Nixpkgs security tracker

Login with GitHub

⚠️ You are using a production deployment that is still only suitable for demo purposes. Any work done in this might be wiped later without notice.

Suggestion detail

Untriaged

Permalink CVE-2021-47908

6.4 MEDIUM

CVSS version: 3.1
Attack vector (AV): NETWORK
Attack complexity (AC): LOW
Privileges required (PR): LOW
User interaction (UI): NONE
Scope (S): CHANGED
Confidentiality impact (C): LOW
Integrity impact (I): LOW
Availability impact (A): NONE

created 2 months, 1 week ago

Ultimate POS 4.4 Persistent Cross-Site Scripting via Product Name

Ultimate POS 4.4 contains a persistent cross-site scripting vulnerability in the product name parameter that allows remote attackers to inject malicious scripts. Attackers can exploit the vulnerability through product add or edit functions to execute arbitrary JavaScript and potentially hijack user sessions.

References

Vulnerability Lab Advisory exploit
Product Homepage product
VulnCheck Advisory: Ultimate POS 4.4 Persistent Cross-Site Scripting via Product Name third-party-advisory
Vulnerability Lab Advisory exploit
Product Homepage product
VulnCheck Advisory: Ultimate POS 4.4 Persistent Cross-Site Scripting via Product Name third-party-advisory

Affected products

Unknown

==4.4

Matching in nixpkgs

pkgs.nnd

Debugger for Linux

nixos-unstable x86_64-unknown-linux-musl-0.38
- nixpkgs-unstable x86_64-unknown-linux-musl-0.69
- nixos-unstable-small x86_64-unknown-linux-musl-0.38
nixos-25.11 x86_64-unknown-linux-musl-0.59
- nixpkgs-25.11-darwin x86_64-unknown-linux-musl-0.59

pkgs.nim1

Statically typed, imperative programming language (aarch64-unknown-linux-gnu wrapper)

nixos-unstable 1.6.20
- nixpkgs-unstable 1.6.20
- nixos-unstable-small 1.6.20
nixos-25.11 1.6.20
- nixpkgs-25.11-darwin 1.6.20

pkgs.nim2

Statically typed, imperative programming language (aarch64-unknown-linux-gnu wrapper)

nixos-unstable 2.2.4
- nixpkgs-unstable 2.2.4
- nixos-unstable-small 2.2.4
nixos-25.11 2.2.4
- nixpkgs-25.11-darwin 2.2.4

pkgs.nim-2_0

Statically typed, imperative programming language (aarch64-unknown-linux-gnu wrapper)

nixos-unstable 2.0.16
- nixpkgs-unstable 2.0.16
- nixos-unstable-small 2.0.16
nixos-25.11 2.0.16
- nixpkgs-25.11-darwin 2.0.16

pkgs.lixStatic

Powerful package manager that makes package management reliable and reproducible

nixos-unstable x86_64-unknown-linux-musl-2.91.3
- nixpkgs-unstable x86_64-unknown-linux-musl-2.93.3
- nixos-unstable-small x86_64-unknown-linux-musl-2.91.3
nixos-25.11 x86_64-unknown-linux-musl-2.93.3
- nixpkgs-25.11-darwin x86_64-unknown-linux-musl-2.93.3

pkgs.nixStatic

Powerful package manager that makes package management reliable and reproducible

nixos-unstable x86_64-unknown-linux-musl-2.28.4
- nixpkgs-unstable x86_64-unknown-linux-musl-2.31.3
- nixos-unstable-small x86_64-unknown-linux-musl-2.28.4
nixos-25.11 x86_64-unknown-linux-musl-2.31.2
- nixpkgs-25.11-darwin x86_64-unknown-linux-musl-2.31.2

Package maintainers

@lf- Jade Lovelace
@9999years Rebecca Turner <rbt@fastmail.com>
@alois31 Alois Wohlschlager <alois1@gmx-topmail.de>
@RaitoBezarius Ryan Lahfa <ryan@lahfa.xyz>
@Qyriad Qyriad <qyriad@qyriad.me>
@Eveeifyeve Eveeifyeve <eveeg1971@gmail.com>
@ehmry Emery Hemingway <ehmry@posteo.net>
@roberth Robert Hensing <nixpkgs@roberthensing.nl>
@Artturin Artturi N <artturin@artturin.com>
@tomberek Thomas Bereknyei <tomberek@gmail.com>
@edolstra Eelco Dolstra <edolstra+nixpkgs@gmail.com>
@Mic92 Jörg Thalheim <joerg@thalheim.io>
@lovesegfault Bernardo Meurer <meurerbernardo@gmail.com>
@Ericson2314 John Ericson <John.Ericson@Obsidian.Systems>
@Sinjin2300 Sinjin