CVSS: 8.8EPSS: 1%CPEs: 8EXPL: 0CVE-2017-18266 – Ubuntu Security Notice USN-3650-1
https://notcve.org/view.php?id=CVE-2017-18266
10 May 2018 — The open_envvar function in xdg-open in xdg-utils before 1.1.3 does not validate strings before launching the program specified by the BROWSER environment variable, which might allow remote attackers to conduct argument-injection attacks via a crafted URL, as demonstrated by %s in this environment variable. La función open_envvar en xdg-open en xdg-utils en versiones anteriores a la 1.1.3 no valida cadenas antes de iniciar el programa especificado por la variable de entorno BROWSER. Esto permite que atacant... • https://bugs.freedesktop.org/show_bug.cgi?id=103807 • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') •
CVSS: 8.8EPSS: 1%CPEs: 2EXPL: 0CVE-2009-0068
https://notcve.org/view.php?id=CVE-2009-0068
07 Jan 2009 — Interaction error in xdg-open allows remote attackers to execute arbitrary code by sending a file with a dangerous MIME type but using a safe type that Firefox sends to xdg-open, which causes xdg-open to process the dangerous file type through automatic type detection, as demonstrated by overwriting the .desktop file. Error de interacción en xdg-open permite a atacantes remotos ejecutar código de su elección enviando un archivo con un tipo MIME peligroso pero utilizando un tipo seguro que Firefox envía a xd... • http://www.openwall.com/lists/oss-security/2009/01/06/1 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 9.8EPSS: 2%CPEs: 5EXPL: 6CVE-2008-0386
https://notcve.org/view.php?id=CVE-2008-0386
04 Feb 2008 — Xdg-utils 1.0.2 and earlier allows user-assisted remote attackers to execute arbitrary commands via shell metacharacters in a URL argument to (1) xdg-open or (2) xdg-email. Xdg-utils 1.0.2 y versiones anteriores permite a atacantes remotos ayudados por un usuario ejecutar comandos de su elección a través de metacaracteres de consola en un argumento URL a (1) xdg-open or (2) xdg-email. • http://bugs.gentoo.org/show_bug.cgi?id=207331 • CWE-20: Improper Input Validation •