Base Score

HIGH7.5

CVE-2019-12761

A code injection issue was discovered in PyXDG before 0.26 via crafted Python code in a Category element of a Menu XML document in a .menu file. XDG_CONFIG_DIRS must be set up to trigger xdg.Menu.parse parsing within the directory containing this file. This is due to a lack of sanitization in xdg/Menu.py before an eval call.

VectorNETWORK

Published Bycve@mitre.org

Published DateJun 06, 2019, 19:29

Affected Versions(1)

pyxdg(PyPI)

Introduced0

Fixed0.26

LimitN/A

Package (Ecosystem)	Introduced	Fixed	Limit
pyxdg(PyPI)	0	0.26	N/A

Weakness Type (CWE):CWE-94

CVSS Metrics

Base Score

7.5

Vector String

CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

Base Severity

HIGH

Version

3.0

Attack Vector (AV)

NETWORK

Attack Complexity (AC)

HIGH

Privileges Required (PR)

NONE

User Interaction (UI)

REQUIRED

Scope (S)

UNCHANGED

Confidentiality (C)

HIGH

Integrity (I)

HIGH

Availability (A)

HIGH

References

Base Score

HIGH7.5

Weakness Type (CWE):CWE-94

CVSS Metrics

Base Score

7.5

Vector String

CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

Base Severity

HIGH

Version

3.0

Attack Vector (AV)

NETWORK

Attack Complexity (AC)

HIGH

Privileges Required (PR)

NONE

User Interaction (UI)

REQUIRED

Scope (S)

UNCHANGED

Confidentiality (C)

HIGH

Integrity (I)

HIGH

Availability (A)

HIGH