CVE-2017-18266
Description
The open_envvar function in xdg-open in xdg-utils before 1.1.3 does not validate strings before launching the program specified by the BROWSER environment variable, which might allow remote attackers to conduct argument-injection attacks via a crafted URL, as demonstrated by %s in this environment variable.
Risk Information
Base Score
8.8
MODERATE
Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score
Exploitation Probability
1.003
Associated Vulnerability
| Vulnerability | OS Platform |
|---|---|
| desktop integration utilities from freedesktop.org (USN-3650-1) xdg-utils_1.1.1-1ubuntu3.2_all.deb | Linux |
| desktop integration utilities from freedesktop.org (USN-3650-1) xdg-utils_1.1.2-1ubuntu2.2_all.deb | Linux |
| desktop integration utilities from freedesktop.org (USN-3650-1) xdg-utils_1.1.0~rc1-2ubuntu7.2_all.deb | Linux |
| desktop integration utilities from freedesktop.org (USN-3650-1) xdg-utils_1.1.1-1ubuntu1.16.04.3_all.deb | Linux |
| xdg-utils security update(DSA-4211-1) xdg-utils_1.1.1-1+deb9u1_all.deb | Linux |
| xdg-utils security update(DSA-4211-1) xdg-utils_1.1.0~rc1+git20111210-7.4+deb8u1_all.deb | Linux |
| SUSE-SU-2018:1497-1(SUSE Linux Enterprise Desktop 12-SP3 ) xdg-utils-20140630-6.3.1.noarch.rpm | Linux |
Patch Details
No records foundReferences
https://nvd.nist.gov/vuln/detail/CVE-2023-1234
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1234