CVE-2013-1436

Xmonad-contrab < 0.11.1 - Code Injection

Title source: rule

Description

The XMonad.Hooks.DynamicLog module in xmonad-contrib before 0.11.2 allows remote attackers to execute arbitrary commands via a web page title, which activates the commands when the user clicks on the xmobar window title, as demonstrated using an action tag.

Exploits (1)

exploitdb WORKING POC VERIFIED

by Joachim Breitner · htmlremotelinux

https://www.exploit-db.com/exploits/38680

View Code ZIP pw:eip

References (4)

[Patch] http://handra.rampa.sk/dawb/patch?repoPURL=http%3A%2F%2Fcode.haskell.org%2FXMonadContrib&repoPHash=20130708144813-1499c-0c3e284d3523c0694b9423714081761813bc1e89

[Exploit] http://www.openwall.com/lists/oss-security/2013/07/26/5

[Exploit] http://www.securityfocus.com/bid/61491

[Third Party Advisory] http://security.gentoo.org/glsa/glsa-201405-28.xml

Scores

EPSS 0.0816

EPSS Percentile 92.2%

Details

CWE

CWE-94

Status published

Products (2)

xmonad/xmonad-contrab 0.11

xmonad/xmonad-contrab < 0.11.1

Published Oct 06, 2014

Tracked Since Feb 18, 2026