code injection in xmonad-contrib
The XMonad.Hooks.DynamicLog module in
xmonad-contrib before 0.11.2 allows remote
attackers to execute arbitrary commands via a web page title, which
activates the commands when the user clicks on the xmobar window title,
as demonstrated using an action tag.
Info
- Published
- June 19, 2023
- Modified
- June 19, 2023
- CAPECs
- < none >
- CWEs
- 94
- Keywords
- code, injection, historical
- Aliases
- CVE-2013-1436
- Related
- < none >
- References
- [ADVISORY] https://security.gentoo.org/glsa/201405-28
- [DISCUSSION] http://www.openwall.com/lists/oss-security/2013/07/26/5
- [FIX] https://github.com/xmonad/xmonad-contrib/commit/d3b2a01e3d01ac628e7a3139dd55becbfa37cf51
Affected
xmonad-contrib
- CVSS
- AV:N/AC:L/Au:N/C:P/I:P/A:P
- Versions
>=0.5 && <0.11.2- Declarations
- < none >