HSEC-2023-0003

See a problem?

Import Source

https://github.com/haskell/security-advisories/blob/generated/osv-export/2023/HSEC-2023-0003.json

JSON Data

https://api.osv.dev/v1/vulns/HSEC-2023-0003

Aliases

CVE-2013-1436

Published

2023-06-19T21:35:14Z

Modified

2024-07-19T05:20:03.249399Z

Summary

code injection in xmonad-contrib

Details

code injection in xmonad-contrib

The XMonad.Hooks.DynamicLog module in xmonad-contrib before 0.11.2 allows remote attackers to execute arbitrary commands via a web page title, which activates the commands when the user clicks on the xmobar window title, as demonstrated using an action tag.

References

https://security.gentoo.org/glsa/201405-28
http://www.openwall.com/lists/oss-security/2013/07/26/5
https://github.com/xmonad/xmonad-contrib/commit/d3b2a01e3d01ac628e7a3139dd55becbfa37cf51

Affected packages

Hackage / xmonad-contrib

Package

Name: xmonad-contrib
Purl: pkg:hackage/xmonad-contrib

Severity

7.5 (High) CVSS_V2 - AV:N/AC:L/Au:N/C:P/I:P/A:P CVSS Calculator

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0.5

Fixed

0.11.2

Affected versions

0.*

0.5

0.6

0.7

0.8

0.8.1

0.9

0.9.1

0.9.2

0.10

0.11

0.11.1