Description
canto_curses/guibase.py in Canto Curses before 0.9.0 allows remote feed servers to execute arbitrary commands via shell metacharacters in a URL in a feed.
References (6)
Core 6
Core References
Issue Tracking x_refsource_confirm
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=731582
Exploit mailing-list
x_refsource_mlist
http://seclists.org/oss-sec/2014/q4/832
Third Party Advisory, VDB Entry vdb-entry
x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/98947
Third Party Advisory, VDB Entry vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/71323
Exploit mailing-list
x_refsource_mlist
http://seclists.org/oss-sec/2014/q4/826
Exploit x_refsource_confirm
https://github.com/themoken/canto-curses/commit/2817869f98c54975f31e2dd674c1aefa70749cca
Scores
EPSS
0.0285
EPSS Percentile
84.9%
Details
CWE
CWE-77
Status
published
Products (3)
canto/canto_curses
0.8.4
canto/canto_curses
0.9.0 alpha2 (3 CPE variants)
canto/canto_curses
< 0.9.0
Published
Dec 03, 2014
Tracked Since
Feb 18, 2026