GHSA-r6v3-hpxj-r8rv
Suggest an improvement- Source
- https://github.com/advisories/GHSA-r6v3-hpxj-r8rv
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/06/GHSA-r6v3-hpxj-r8rv/GHSA-r6v3-hpxj-r8rv.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-r6v3-hpxj-r8rv
- Aliases
-
- CVE-2019-12761
- PYSEC-2019-199
- SNYK-PYTHON-PYXDG-174562
- Published
- 2019-06-07T20:56:27Z
- Modified
- 2024-10-15T16:46:05.959430Z
- Severity
-
- 7.5 (High) CVSS_V3 - CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H CVSS Calculator
- Summary
- Code Injection in PyXDG
- Details
-
A code injection issue was discovered in PyXDG before 0.26 via crafted Python code in a Category element of a Menu XML document in a .menu file. XDGCONFIGDIRS must be set up to trigger xdg.Menu.parse parsing within the directory containing this file. This is due to a lack of sanitization in xdg/Menu.py before an eval call.
- Database specific
{ "nvd_published_at": "2019-06-06T19:29:00Z", "severity": "HIGH", "github_reviewed_at": "2019-06-07T10:24:55Z", "github_reviewed": true, "cwe_ids": [ "CWE-94" ] }- References
-
- https://nvd.nist.gov/vuln/detail/CVE-2019-12761
- https://gist.github.com/dhondta/b45cd41f4186110a354dc7272916feba
- https://github.com/pypa/advisory-database/tree/main/vulns/pyxdg/PYSEC-2019-199.yaml
- https://github.com/takluyver/pyxdg
- https://lists.debian.org/debian-lts-announce/2019/06/msg00006.html
- https://lists.debian.org/debian-lts-announce/2021/08/msg00003.html
- https://snyk.io/vuln/SNYK-PYTHON-PYXDG-174562
Affected packages
PyPI / pyxdg
Package
- Name
- pyxdg
- View open source insights on deps.dev
- Purl
- pkg:pypi/pyxdg