CVE-2011-4357

Clearsilver <0.10.5 - RCE

Title source: llm

Description

Format string vulnerability in the p_cgi_error function in python/neo_cgi.c in the Python CGI Kit (neo_cgi) module for Clearsilver 0.10.5 and earlier allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via format string specifiers that are not properly handled when creating CGI error messages using the cgi_error API function.

References (7)

[Issue Tracking] http://code.google.com/p/clearsilver/source/detail?r=919

[Various Sources] http://tech.groups.yahoo.com/group/ClearSilver/message/1422

[Third Party Advisory] http://www.debian.org/security/2011/dsa-2355

[Third Party Advisory, VDB Entry] http://osvdb.org/77419

[Mailing List] http://www.openwall.com/lists/oss-security/2011/11/27/1

[Third Party Advisory, VDB Entry] https://exchange.xforce.ibmcloud.com/vulnerabilities/71599

[Vendor Advisory] http://secunia.com/advisories/47016

Scores

EPSS 0.0218

EPSS Percentile 84.4%

Details

CWE

CWE-134

Status published

Products (24)

brandon_long/clearsilver 0.1

brandon_long/clearsilver 0.2

brandon_long/clearsilver 0.2.1

brandon_long/clearsilver 0.3

brandon_long/clearsilver 0.4

brandon_long/clearsilver 0.5

brandon_long/clearsilver 0.6

brandon_long/clearsilver 0.7

brandon_long/clearsilver 0.7.1

brandon_long/clearsilver 0.7.2

... and 14 more

Published Dec 10, 2011

Tracked Since Feb 18, 2026