Robin Peraglie and Johannes Moritz discovered an argument injection bug in the xfce4-mime-helper component of xfce4-settings, which can be exploited using the xdg-open common tool. Since xdg-open is used by multiple standard applications for opening links, this bug could be exploited by an attacker to run arbitrary code on an user machine by providing a malicious PDF file with specifically crafted links. For the stable distribution (bullseye), this problem has been fixed in version 4.16.0-1+deb11u1. We recommend that you upgrade your xfce4-settings packages. For the detailed security status of xfce4-settings please refer to its security tracker page at: https://security-tracker.debian.org/tracker/xfce4-settings
Robin Peraglie and Johannes Moritz discovered an argument injection bug in the xfce4-mime-helper component of xfce4-settings, which can be exploited using the xdg-open common tool. Since xdg-open is used by multiple standard applications for opening links, this bug could be exploited by an attacker to run arbitrary code on an user machine by providing a malicious PDF file with specifically crafted links.
For the stable distribution (bullseye), this problem has been fixed in version 4.16.0-1+deb11u1.
We recommend that you upgrade your xfce4-settings packages.
For the detailed security status of xfce4-settings please refer to its security tracker page at: https://security-tracker.debian.org/tracker/xfce4-settings
Vulmon