| Severity |
|
| Remote |
|
| Type |
| + |
Arbitrary command execution |
|
| Description |
| + |
Improper Neutralization of Special Elements used in an OS Command in bookmarking function of Newsbeuter versions 0.7 through 2.9 allows remote attackers to perform user-assisted shell command execution by crafting an RSS item that includes shell code in its title and/or URL. When the user bookmarks such item the shell code will be executed. |
|
| References |
| + |
https://github.com/akrennmair/newsbeuter/issues/591 |
| + |
https://github.com/akrennmair/newsbeuter/commit/3b84203448f077dff6f83ba986f916884184852c |
| + |
https://github.com/akrennmair/newsbeuter/commit/d1460189f6f810ca9a3687af7bc43feb7f2af2d9 |
| + |
https://groups.google.com/forum/#!topic/newsbeuter/iFqSE7Vz-DE |
|
| Notes |
| + |
Do not use bookmarking until you apply the fix. See the comment below for details. |
|