DSA-4211-1 xdg-utils -- xdg-utilsID: oval:org.secpod.oval:def:603409 | Date: (C)2018-05-28 (M)2023-12-20 |
Class: PATCH | Family: unix |
Gabriel Corona discovered that xdg-utils, a set of tools for desktop environment integration, is vulnerable to argument injection attacks. If the environment variable BROWSER in the victim host has a "%s" and the victim opens a link crafted by an attacker with xdg-open, the malicious party could manipulate the parameters used by the browser when opened. This manipulation could set, for example, a proxy to which the network traffic could be intercepted for that particular execution.
Platform: |
Debian 8.x |
Debian 9.x |