Published: 29/10/2014 Updated: 20/11/2014

CVSS v2 Base Score: 6.4 | Impact Score: 4.9 | Exploitability Score: 10

VMScore: 570

Vector: AV:N/AC:L/Au:N/C:N/I:P/A:P

Absolute path traversal vulnerability in the untar_block function in win32/untar.c in Pidgin prior to 2.10.10 on Windows allows remote malicious users to write to arbitrary files via a drive name in a tar archive of a smiley theme.

Vulnerable Product	Search on Vulmon	Subscribe to Product
pidgin pidgin 2.10.3
pidgin pidgin 2.10.2
pidgin pidgin 2.10.5
pidgin pidgin 2.10.4
pidgin pidgin
pidgin pidgin 2.10.8
pidgin pidgin 2.10.1
pidgin pidgin 2.10.0
pidgin pidgin 2.10.7
pidgin pidgin 2.10.6

Emoticons blast three security holes in Pidgin :-(

The Register • Darren Pauli • 10 Nov 2014

Dump docs on users' disks using only ASCII art (°O°)

Cisco researchers have reported a trio of vulnerabilities in popular instant messaging client Pidgin that allow for denial of service by way of emoticon abuse and remote arbitrary file creation. Researchers Yves Younan and Richard Johnson say the flaws have since been quietly patched, but rated a maximum CVSS score of 6.4 but were easily and remotely exploitable. The first reported flaw (CVE-2014-3697) affected the way Pidgin accessed smileys and themes as tar packages on Windows systems. Linux ...

CVE-2014-3697

Vulnerability Summary

Recent Articles

References

Vulmon Search

About

Products

Connect