CVE-2017-14500

Improper Neutralization of Special Elements used in an OS Command in the podcast playback function of Podbeuter in Newsbeuter 0.3 through 2.9 allows remote attackers to perform user-assisted code execution by crafting an RSS item with a media enclosure (i.e., a podcast file) that includes shell metacharacters in its filename, related to pb_controller.cpp and queueloader.cpp, a different vulnerability than CVE-2017-12904.

Published: Sep 17, 2017
Updated: Nov 9, 2025
CVE: CVE-2017-14500
Severity: Medium
Exploit:

CVSS v2:

Severity: Medium
Score: 6.8
AV:N/AC:M/Au:N/C:P/I:P/A:P

CWEs:

CWE-78

OWASP TOP 10:

A1 - Injection

Affected Software
References

Software	From	Fixed in
newsbeuter / newsbeuter	0.5	0.5.x
newsbeuter / newsbeuter	1.0	1.0.x
newsbeuter / newsbeuter	2.4	2.4.x
newsbeuter / newsbeuter	2.3	2.3.x
newsbeuter / newsbeuter	0.8	0.8.x
newsbeuter / newsbeuter	0.4	0.4.x
newsbeuter / newsbeuter	1.3	1.3.x
newsbeuter / newsbeuter	0.9	0.9.x
newsbeuter / newsbeuter	2.0	2.0.x
newsbeuter / newsbeuter	2.1	2.1.x
newsbeuter / newsbeuter	0.8.1	0.8.1.x
newsbeuter / newsbeuter	2.8	2.8.x
newsbeuter / newsbeuter	2.5	2.5.x
newsbeuter / newsbeuter	0.8.2	0.8.2.x
newsbeuter / newsbeuter	2.6	2.6.x
newsbeuter / newsbeuter	0.7	0.7.x
newsbeuter / newsbeuter	2.2	2.2.x
newsbeuter / newsbeuter	1.1	1.1.x
newsbeuter / newsbeuter	0.3	0.3.x
newsbeuter / newsbeuter	0.6	0.6.x
newsbeuter / newsbeuter	2.7	2.7.x
newsbeuter / newsbeuter	2.9	2.9.x
newsbeuter / newsbeuter	0.9.1	0.9.1.x
newsbeuter / newsbeuter	1.2	1.2.x

Vulnerability Database

318,389

CVE-2017-14500

Deep Security Visibility Without the Complexity