Description
feh before 1.8, when the --wget-timestamp option is enabled, might allow remote attackers to execute arbitrary commands via shell metacharacters in a URL.
Exploits (1)
exploitdb
WORKING POC
VERIFIED
by anonymous · textremotelinux
https://www.exploit-db.com/exploits/34201
References (4)
Core 4
Core References
Various Sources x_refsource_confirm
http://derf.homelinux.org/git/feh/plain/ChangeLog
Exploit mailing-list
x_refsource_mlist
http://openwall.com/lists/oss-security/2010/06/28/4
Exploit vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/41161
Exploit mailing-list
x_refsource_mlist
http://openwall.com/lists/oss-security/2010/06/25/4
Scores
EPSS
0.0476
EPSS Percentile
89.6%
Details
CWE
CWE-20
Status
published
Products (23)
feh_project/feh
0.5.0
feh_project/feh
0.6.4
feh_project/feh
0.7.0
feh_project/feh
0.9.9
feh_project/feh
1.1.0
feh_project/feh
1.2.0
feh_project/feh
1.2.1
feh_project/feh
1.2.3
feh_project/feh
1.2.5
feh_project/feh
1.2.6
... and 13 more
Published
May 26, 2011
Tracked Since
Feb 18, 2026