CVSS: 6.5EPSS: 0%CPEs: 4EXPL: 1CVE-2017-14604 – nautilus: Insufficient validation of trust of .desktop files with execute permission
https://notcve.org/view.php?id=CVE-2017-14604
20 Sep 2017 — GNOME Nautilus before 3.23.90 allows attackers to spoof a file type by using the .desktop file extension, as demonstrated by an attack in which a .desktop file's Name field ends in .pdf but this file's Exec field launches a malicious "sh -c" command. In other words, Nautilus provides no UI indication that a file actually has the potentially unsafe .desktop extension; instead, the UI only shows the .pdf extension. One (slightly) mitigating factor is that an attack requires the .desktop file to have execute p... • http://www.debian.org/security/2017/dsa-3994 • CWE-20: Improper Input Validation CWE-345: Insufficient Verification of Data Authenticity •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 0CVE-2002-0157
https://notcve.org/view.php?id=CVE-2002-0157
16 May 2002 — Nautilus 1.0.4 and earlier allows local users to overwrite arbitrary files via a symlink attack on the .nautilus-metafile.xml metadata file. Nautilus 1.0.4 y anteriores permiten a usuarios sobreescribir ficheros arbitrarios mediante un ataque de enlaces simbólicos en el fichero .nautilus-metafile.xml • http://online.securityfocus.com/archive/1/270691/2002-04-29/2002-05-05/0 •