CVE-2017-12904
Improper Neutralization of Special Elements used in an OS Command in bookmarking function of Newsbeuter versions 0.7 through 2.9 allows remote attackers to perform user-assisted code execution by crafting an RSS item that includes shell code in its title and/or URL.
| Software | From | Fixed in |
|---|---|---|
| newsbeuter / newsbeuter | 1.0 | 1.0.x |
| newsbeuter / newsbeuter | 2.4 | 2.4.x |
| newsbeuter / newsbeuter | 2.3 | 2.3.x |
| newsbeuter / newsbeuter | 0.8 | 0.8.x |
| newsbeuter / newsbeuter | 1.3 | 1.3.x |
| newsbeuter / newsbeuter | 0.9 | 0.9.x |
| newsbeuter / newsbeuter | 2.0 | 2.0.x |
| newsbeuter / newsbeuter | 2.1 | 2.1.x |
| newsbeuter / newsbeuter | 0.8.1 | 0.8.1.x |
| newsbeuter / newsbeuter | 2.8 | 2.8.x |
| newsbeuter / newsbeuter | 2.5 | 2.5.x |
| newsbeuter / newsbeuter | 0.8.2 | 0.8.2.x |
| newsbeuter / newsbeuter | 2.6 | 2.6.x |
| newsbeuter / newsbeuter | 0.7 | 0.7.x |
| newsbeuter / newsbeuter | 2.2 | 2.2.x |
| newsbeuter / newsbeuter | 1.1 | 1.1.x |
| newsbeuter / newsbeuter | 2.7 | 2.7.x |
| newsbeuter / newsbeuter | 2.9 | 2.9.x |
| newsbeuter / newsbeuter | 0.9.1 | 0.9.1.x |
| newsbeuter / newsbeuter | 1.2 | 1.2.x |
| debian / debian_linux | 8.0 | 8.0.x |
| debian / debian_linux | 7.0 | 7.0.x |
| debian / debian_linux | 9.0 | 9.0.x |
- http://www.debian.org/security/2017/dsa-3947
- https://github.com/akrennmair/newsbeuter/commit/96e9506ae9e252c548665152d1b8968297128307
- https://github.com/akrennmair/newsbeuter/issues/591
- https://groups.google.com/forum/#!topic/newsbeuter/iFqSE7Vz-DE
- https://groups.google.com/forum/#%21topic/newsbeuter/iFqSE7Vz-DE
- https://usn.ubuntu.com/4585-1/
Deep Security Visibility Without the Complexity
SynScan provides clear, real-time security insights so you can monitor your attack surface, spot risks early, and act fast—without extra complexity.
- No setup fees
- 5-min deployment
- Cancel anytime