[advisory]
id = "HSEC-2023-0003"
cwe = [94]
keywords = ["code", "injection", "historical"]
aliases = ["CVE-2013-1436"]

[[affected]]
package = "xmonad-contrib"
cvss = "AV:N/AC:L/Au:N/C:P/I:P/A:P"
[[affected.versions]]
introduced = "0.5"
fixed = "0.11.2"

[[references]]
type = "ADVISORY"
url = "https://security.gentoo.org/glsa/201405-28"
[[references]]
type = "DISCUSSION"
url = "http://www.openwall.com/lists/oss-security/2013/07/26/5"
[[references]]
type = "FIX"
url = "https://github.com/xmonad/xmonad-contrib/commit/d3b2a01e3d01ac628e7a3139dd55becbfa37cf51"

code injection in xmonad-contrib

The XMonad.Hooks.DynamicLog module in xmonad-contrib before 0.11.2 allows remote attackers to execute arbitrary commands via a web page title, which activates the commands when the user clicks on the xmobar window title, as demonstrated using an action tag.