CVE-2019-12761

Published: Jun 6, 2019Modified: Nov 21, 2024

7.5

Vector

CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

Exploitability: 1.6 / Impact: 5.9

Source: NVD

Description

A code injection issue was discovered in PyXDG before 0.26 via crafted Python code in a Category element of a Menu XML document in a .menu file. XDG_CONFIG_DIRS must be set up to trigger xdg.Menu.parse parsing within the directory containing this file. This is due to a lack of sanitization in xdg/Menu.py before an eval call.

Affected (1)

Products: Python: Pyxdg

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Python Pyxdg	Before 0.26

Related CWEs

Improper Control of Generation of Code ('Code Injection')

The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

References (8)

https://gist.github.com/dhondta/b45cd41f4186110a354dc7272916feba

Source: cve@mitre.org

ExploitThird Party Advisory

https://lists.debian.org/debian-lts-announce/2019/06/msg00006.html

Source: cve@mitre.org

https://lists.debian.org/debian-lts-announce/2021/08/msg00003.html

Source: cve@mitre.org

https://snyk.io/vuln/SNYK-PYTHON-PYXDG-174562

Source: cve@mitre.org

Third Party Advisory

https://gist.github.com/dhondta/b45cd41f4186110a354dc7272916feba

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitThird Party Advisory

https://lists.debian.org/debian-lts-announce/2019/06/msg00006.html

Source: af854a3a-2127-422b-91ae-364da2661108

https://lists.debian.org/debian-lts-announce/2021/08/msg00003.html

Source: af854a3a-2127-422b-91ae-364da2661108

https://snyk.io/vuln/SNYK-PYTHON-PYXDG-174562

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

Timeline

No history available yet.