VDB

SNYK-PYTHON-PYXDG-174562

SNYK-PYTHON-PYXDG-174562 PUBLISHED CVSS 7.300000190734863 HIGH

## Overview [pyxdg](https://pypi.org/project/pyxdg/) contains implementations of freedesktop.org standards in python. Affected versions of this package are vulnerable to Arbitrary Command Execution via the `xdg.Menu.parse()` function. When it is possible to craft an evil `menu` file with a `Category` node containing Python injected code. Then it is possible to update `xdg_config_dirs` with its location folder, the evil menu can be parsed and an attacker could exploit the vulnerability. This is due to a lack of sanitization in `xdg/Menu.py`. When the evil `menu` file is parsed, the injected code is executed because of an unsanitized `eval()`. ## Remediation Upgrade `pyxdg` to version 0.26 or higher. ## References - [GitHub Vulnerable Code](https://github.com/freedesktop/pyxdg/blob/rel-0.25/xdg/Menu.py) - [Proof Of Concept](https://gist.github.com/dhondta/b45cd41f4186110a354dc7272916feba)

Risk Scores

CVSS 3.1
7.300000190734863
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Affected Products

VendorProductVersions
0

Timeline

  • Feb 2, 2019 CVE Updated
  • May 1, 2019 CVE Published
Open in Interactive Console →
$ Console Community · 100/wk Open console ›