SNYK-PYTHON-PYXDG-174562
## Overview [pyxdg](https://pypi.org/project/pyxdg/) contains implementations of freedesktop.org standards in python. Affected versions of this package are vulnerable to Arbitrary Command Execution via the `xdg.Menu.parse()` function. When it is possible to craft an evil `menu` file with a `Category` node containing Python injected code. Then it is possible to update `xdg_config_dirs` with its location folder, the evil menu can be parsed and an attacker could exploit the vulnerability. This is due to a lack of sanitization in `xdg/Menu.py`. When the evil `menu` file is parsed, the injected code is executed because of an unsanitized `eval()`. ## Remediation Upgrade `pyxdg` to version 0.26 or higher. ## References - [GitHub Vulnerable Code](https://github.com/freedesktop/pyxdg/blob/rel-0.25/xdg/Menu.py) - [Proof Of Concept](https://gist.github.com/dhondta/b45cd41f4186110a354dc7272916feba)
Risk Scores
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| 0 |
Timeline
- Feb 2, 2019 CVE Updated
- May 1, 2019 CVE Published
References
- https://security.snyk.io/vuln/SNYK-PYTHON-PYXDG-174562 advisory
- https://learn.snyk.io/lesson/malicious-code-injection/ technical
- https://pypi.org/project/pyxdg/ vendor
- https://github.com/freedesktop/pyxdg/blob/rel-0.25/xdg/Menu.py technical
- https://gist.github.com/dhondta/b45cd41f4186110a354dc7272916feba technical