4.8 MEDIUM
- CVSS version (CVSS): 4.0
- Attack Vector (AV): Network (N)
- Attack Complexity (AC): Low (L)
- Attack Requirement (AT): None (N)
- Privileges Required (PR): High (H)
- User Interaction (UI): Passive (P)
- Vulnerable System Impact Confidentiality (VC): None (N)
- Vulnerable System Impact Integrity (VI): Low (L)
- Vulnerable System Impact Availability (VA): None (N)
- Subsequent System Impact Confidentiality (SC): Low (L)
- Subsequent System Impact Integrity (SI): Low (L)
- Subsequent System Impact Availability (SA): None (N)
- Modified Attack Vector (MAV): Network (N)
- Modified Attack Complexity (MAC): Low (L)
- Modified Attack Requirement (MAT): None (N)
- Modified Privileges Required (MPR): High (H)
- Modified User Interaction (MUI): Passive (P)
- Modified Vulnerable System Impact Confidentiality (MVC): None (N)
- Modified Vulnerable System Impact Integrity (MVI): Low (L)
- Modified Vulnerable System Impact Availability (MVA): None (N)
- Modified Subsequent System Impact Confidentiality (MSC): Low (L)
- Modified Subsequent System Impact Integrity (MSI): Low (L)
- Modified Subsequent System Impact Availability (MSA): Negligible (N)
- Safety (S): Not Defined (X)
- Automatable (AU): Not Defined (X)
- Recovery (R): Not Defined (X)
- Value Density (V): Not Defined (X)
- Vulnerability Response Effort (RE): Not Defined (X)
- Provider Urgency (U): Not Defined (X)
- Confidentiality Req. (CR): Not Defined (X)
- Integrity Req. (IR): Not Defined (X)
- Availability Req. (AR): Not Defined (X)
- Exploit Maturity (E): Not Defined (X)
Activity log
- Created suggestion
Stored Cross‑Site Scripting in MCO
MCO is vulnerable to Stored Cross‑Site Scripting (XSS) via the application logo upload functionality. An attacker with the ability to change the application logo can upload a crafted SVG file containing malicious JavaScript code that is executed when the logo is rendered or opened. Because vendor contact attempts were unsuccessful, the vulnerability has only been confirmed in version 25.3.3.1 but may also affect other versions.
References
-
https://cert.pl/en/posts/2026/07/CVE-2026-53902 third-party-advisory
Affected products
- ==25.3.3.1
Matching in nixpkgs
pkgs.ghdl
VHDL 2008/93/87 simulator
pkgs.mcomix
Comic book reader and image viewer
pkgs.termcolor
Header-only C++ library for printing colored messages
pkgs.ghdl-mcode
VHDL 2008/93/87 simulator
pkgs.xtermcontrol
Enables dynamic control of xterm properties
pkgs.mcontrolcenter
Tool to change the settings of MSI laptops running Linux
pkgs.nltk-data.semcor
NLTK Data
-
nixos-unstable 0-unstable-2024-07-29
- nixpkgs-unstable 0-unstable-2024-07-29
- nixos-unstable-small 0-unstable-2024-07-29
-
nixos-26.05 0-unstable-2024-07-29
- nixos-26.05-small 0-unstable-2024-07-29
- nixpkgs-26.05-darwin 0-unstable-2024-07-29
pkgs.streamcontroller
Elegant Linux app for the Elgato Stream Deck with support for plugins
-
nixos-unstable 1.5.0-beta.14
- nixpkgs-unstable 1.5.0-beta.14
- nixos-unstable-small 1.5.0-beta.14
-
nixos-26.05 1.5.0-beta.14
- nixos-26.05-small 1.5.0-beta.14
- nixpkgs-26.05-darwin 1.5.0-beta.14
pkgs.kdePackages.kpmcore
KDE Partition Manager core library
pkgs.kdePackages.pimcommon
Common library components for KDE PIM
pkgs.openmodelica.omcompiler
None
pkgs.ocamlPackages.randomconv
Convert from random bytes to random native numbers
pkgs.haskellPackages.termcolor
Composable terminal colors
pkgs.python312Packages.numcodecs
None
pkgs.python312Packages.termcolor
None
pkgs.python313Packages.numcodecs
Buffer compression and transformation codecs for use in data storage and communication applications
pkgs.python313Packages.termcolor
ANSI color formatting for output in terminal
pkgs.python314Packages.numcodecs
Buffer compression and transformation codecs for use in data storage and communication applications
pkgs.python314Packages.termcolor
ANSI color formatting for output in terminal
pkgs.kodiPackages.steam-controller
Binary addon for steam controller
pkgs.ocamlPackages_latest.randomconv
Convert from random bytes to random native numbers
pkgs.gnomeExtensions.streamcontroller-integration
Allow automatic page switching in StreamController by adding a dbus interface to fetch info about the current window.
pkgs.python313Packages.streamcontroller-streamdeck
Python library to control the Elgato Stream Deck
pkgs.python314Packages.streamcontroller-streamdeck
Python library to control the Elgato Stream Deck
pkgs.python313Packages.streamcontroller-plugin-tools
StreamController plugin tools
pkgs.python314Packages.streamcontroller-plugin-tools
StreamController plugin tools
Package maintainers
-
@Lucus16 Lars Jellema <lars.jellema@gmail.com>
-
@thoughtpolice Austin Seipp <aseipp@pobox.com>
-
@sempiternal-aurora Myria Sarvay <myrialsarvay@gmail.com>
-
@honnip Jung seungwoo <me@honnip.page>
-
@PhilippWoelfel Philipp Woelfel <philipp.woelfel@gmail.com>
-
@LunNova Luna Nova <nixpkgs-maintainer@lunnova.dev>
-
@nyanloutre Paul Trehiou <paul@nyanlout.re>
-
@peterhoeg Peter Hoeg <peter@hoeg.com>
-
@FRidh Frederik Rietdijk <fridh@fridh.nl>
-
@NickCao Nick Cao <nickcao@nichi.co>
-
@ilya-fedin Ilya Fedin <fedin-ilja2010@ya.ru>
-
@SuperSandro2000 Sandro Jäckel <sandro.jaeckel@gmail.com>
-
@K900 Ilya K. <me@0upti.me>
-
@bkchr Bastian Köcher <nixos@kchr.de>
-
@mjm Matt Moriarity <matt@mattmoriarity.com>
-
@nvmd Sergey Kazenyuk <kazenyuk@pm.me>
-
@cpages Carles Pagès <page@ruiec.cat>
-
@dschrempf Dominik Schrempf <dominik.schrempf@gmail.com>
-
@aanderse Aaron Andersen <aaron@fosslib.net>
-
@minijackson Rémi Nicole <minijackson@riseup.net>
-
@con-f-use J.C. <con-f-use@gmx.net>
-
@thiagokokada Thiago K. Okada <thiagokokada@gmail.com>
-
@Tommimon Tommaso Montanari <sefymw7q8@mozmail.com>
-
@happysalada Raphael Megzari <raphael@megzari.com>
-
@bengsparks Ben Sparks <benjamin.sparks@protonmail.com>
-
@vbgl Vincent Laporte <Vincent.Laporte@gmail.com>
-
@doronbehar Doron Behar <me@doronbehar.com>
-
@sifmelcara Ming Chuan <ming@culpring.com>
-
@prusnak Pavol Rusnak <pavol@rusnak.io>
-
@derchrisuk Christian Gerbrandt <derchris@me.com>
-
@Majiir Majiir Paktu <majiir@nabaal.net>