CVE-2017-12904

HIGH

Newsbeuter <2.9 - Code Injection

Title source: llm

Description

Improper Neutralization of Special Elements used in an OS Command in bookmarking function of Newsbeuter versions 0.7 through 2.9 allows remote attackers to perform user-assisted code execution by crafting an RSS item that includes shell code in its title and/or URL.

References (5)

[Issue Tracking, Third Party Advisory] https://github.com/akrennmair/newsbeuter/issues/591

[Patch, Third Party Advisory] https://github.com/akrennmair/newsbeuter/commit/96e9506ae9e252c548665152d1b8968297128307

View Patch ZIP pw:eip

[Mailing List] https://groups.google.com/forum/#%21topic/newsbeuter/iFqSE7Vz-DE

[Third Party Advisory] http://www.debian.org/security/2017/dsa-3947

[Vendor Advisory] https://usn.ubuntu.com/4585-1/

Scores

CVSS v3 8.8

EPSS 0.0232

EPSS Percentile 84.9%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Details

CWE

CWE-943

Status published

Products (23)

debian/debian_linux 7.0

debian/debian_linux 8.0

debian/debian_linux 9.0

newsbeuter/newsbeuter 0.7

newsbeuter/newsbeuter 0.8

newsbeuter/newsbeuter 0.8.1

newsbeuter/newsbeuter 0.8.2

newsbeuter/newsbeuter 0.9

newsbeuter/newsbeuter 0.9.1

newsbeuter/newsbeuter 1.0

... and 13 more

Published Aug 23, 2017

Tracked Since Feb 18, 2026