CVE-2023-44452

Published: May 3, 2024Modified: Aug 14, 2025

7.8

Vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Exploitability: 1.8 / Impact: 5.9

Source: NVD

Description

Linux Mint Xreader CBT File Parsing Argument Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Linux Mint Xreader. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of CBT files. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-22132.

Affected (1)

Products: Linuxmint: Xreader

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Linuxmint Xreader	Version 3.8.2

Related CWEs

Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')

The product constructs a string for a command to be executed by a separate component in another control sphere, but it does not properly delimit the intended arguments, options, or switches within that command string.

References (4)

https://github.com/linuxmint/xreader/commit/cd678889ecfe4e84a5cbcf3a0489e15a5e2e3736

Source: zdi-disclosures@trendmicro.com

Patch

https://www.zerodayinitiative.com/advisories/ZDI-23-1836/

Source: zdi-disclosures@trendmicro.com

Third Party Advisory

https://github.com/linuxmint/xreader/commit/cd678889ecfe4e84a5cbcf3a0489e15a5e2e3736

Source: af854a3a-2127-422b-91ae-364da2661108

Patch

https://www.zerodayinitiative.com/advisories/ZDI-23-1836/

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

Timeline

No history available yet.