CVE-2017-12904

Published: Aug 23, 2017Modified: May 13, 2026

8.8

Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Exploitability: 2.8 / Impact: 5.9

Source: NVD

Description

Improper Neutralization of Special Elements used in an OS Command in bookmarking function of Newsbeuter versions 0.7 through 2.9 allows remote attackers to perform user-assisted code execution by crafting an RSS item that includes shell code in its title and/or URL.

Affected (23)

Products: Newsbeuter: Newsbeuter · Debian: Debian Linux

1 product

1 product

Configuration A

20 vulnerable

Vulnerable Software	Affected Versions
Newsbeuter Newsbeuter	Version 0.7
Newsbeuter Newsbeuter	Version 0.8.1
Newsbeuter Newsbeuter	Version 0.8.2
Newsbeuter Newsbeuter	Version 0.8
Newsbeuter Newsbeuter	Version 0.9.1
Newsbeuter Newsbeuter	Version 0.9
Newsbeuter Newsbeuter	Version 1.0
Newsbeuter Newsbeuter	Version 1.1
Newsbeuter Newsbeuter	Version 1.2
Newsbeuter Newsbeuter	Version 1.3
Newsbeuter Newsbeuter	Version 2.0
Newsbeuter Newsbeuter	Version 2.1
Newsbeuter Newsbeuter	Version 2.2
Newsbeuter Newsbeuter	Version 2.3
Newsbeuter Newsbeuter	Version 2.4
Newsbeuter Newsbeuter	Version 2.5
Newsbeuter Newsbeuter	Version 2.6
Newsbeuter Newsbeuter	Version 2.7
Newsbeuter Newsbeuter	Version 2.8
Newsbeuter Newsbeuter	Version 2.9

Configuration B

3 vulnerable

Vulnerable Software	Affected Versions
Debian Debian Linux	Version 7.0
Debian Debian Linux	Version 8.0
Debian Debian Linux	Version 9.0

Related CWEs

Improper Neutralization of Special Elements in Data Query Logic

The product generates a query intended to access or manipulate data in a data store such as a database, but it does not neutralize or incorrectly neutralizes special elements that can modify the intended logic of the query.

References (10)

http://www.debian.org/security/2017/dsa-3947

Source: cve@mitre.org

Third Party Advisory

https://github.com/akrennmair/newsbeuter/commit/96e9506ae9e252c548665152d1b8968297128307

Source: cve@mitre.org

PatchThird Party Advisory

https://github.com/akrennmair/newsbeuter/issues/591

Source: cve@mitre.org

Issue TrackingThird Party Advisory

https://groups.google.com/forum/#%21topic/newsbeuter/iFqSE7Vz-DE

Source: cve@mitre.org

https://usn.ubuntu.com/4585-1/

Source: cve@mitre.org

http://www.debian.org/security/2017/dsa-3947

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

https://github.com/akrennmair/newsbeuter/commit/96e9506ae9e252c548665152d1b8968297128307

Source: af854a3a-2127-422b-91ae-364da2661108

PatchThird Party Advisory

https://github.com/akrennmair/newsbeuter/issues/591

Source: af854a3a-2127-422b-91ae-364da2661108

Issue TrackingThird Party Advisory

https://groups.google.com/forum/#%21topic/newsbeuter/iFqSE7Vz-DE

Source: af854a3a-2127-422b-91ae-364da2661108

https://usn.ubuntu.com/4585-1/

Source: af854a3a-2127-422b-91ae-364da2661108

Timeline

No history available yet.