HSEC-2023-0003

See a problem?

Import Source

https://github.com/haskell/security-advisories/blob/generated/osv-export/2023/HSEC-2023-0003.json

JSON Data

https://api.osv.dev/v1/vulns/HSEC-2023-0003

Aliases

CVE-2013-1436

Published

2023-06-19T21:35:14Z

Modified

2025-07-27T20:43:20.187360Z

Summary

code injection in xmonad-contrib

Details

code injection in xmonad-contrib

The XMonad.Hooks.DynamicLog module in xmonad-contrib before 0.11.2 allows remote attackers to execute arbitrary commands via a web page title, which activates the commands when the user clicks on the xmobar window title, as demonstrated using an action tag.

Database specific

{
    "repository": "https://github.com/haskell/security-advisories",
    "osvs": "https://raw.githubusercontent.com/haskell/security-advisories/refs/heads/generated/osv-export",
    "home": "https://haskell.github.io/security-advisories"
}

References

Affected packages

Hackage / xmonad-contrib

Package

Name: xmonad-contrib
Purl: pkg:hackage/xmonad-contrib

Severity

7.5 (High) CVSS_V2 - AV:N/AC:L/Au:N/C:P/I:P/A:P CVSS Calculator

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0.5

Fixed

0.11.2

Affected versions

0.*

0.5

0.6

0.7

0.8

0.8.1

0.9

0.9.1

0.9.2

0.10

0.11

0.11.1

Database specific

{
    "human_link": "https://haskell.github.io/security-advisories/advisory/HSEC-2023-0003.html",
    "osv": "https://raw.githubusercontent.com/haskell/security-advisories/refs/heads/generated/osv-export/2023/HSEC-2023-0003.json"
}