Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact
9.3
CVSSv2

CVE-2017-12904

Published: 23/08/2017 Updated: 07/11/2023
CVSS v2 Base Score: 9.3 | Impact Score: 10 | Exploitability Score: 8.6
CVSS v3 Base Score: 8.8 | Impact Score: 5.9 | Exploitability Score: 2.8
VMScore: 828
Vector: AV:N/AC:M/Au:N/C:C/I:C/A:C
Subscribe to Newsbeuter

Vulnerability Summary

Improper Neutralization of Special Elements used in an OS Command in bookmarking function of Newsbeuter versions 0.7 up to and including 2.9 allows remote malicious users to perform user-assisted code execution by crafting an RSS item that includes shell code in its title and/or URL.

Vulnerability Trend

Vulnerable Product Search on Vulmon Subscribe to Product

newsbeuter newsbeuter 1.0

newsbeuter newsbeuter 2.4

newsbeuter newsbeuter 2.3

newsbeuter newsbeuter 0.8

newsbeuter newsbeuter 1.3

newsbeuter newsbeuter 0.9

newsbeuter newsbeuter 2.0

newsbeuter newsbeuter 2.1

newsbeuter newsbeuter 0.8.1

newsbeuter newsbeuter 2.8

newsbeuter newsbeuter 2.5

newsbeuter newsbeuter 0.8.2

newsbeuter newsbeuter 2.6

newsbeuter newsbeuter 0.7

newsbeuter newsbeuter 2.2

newsbeuter newsbeuter 1.1

newsbeuter newsbeuter 2.7

newsbeuter newsbeuter 2.9

newsbeuter newsbeuter 0.9.1

newsbeuter newsbeuter 1.2

debian debian linux 8.0

debian debian linux 7.0

debian debian linux 9.0

Vendor Advisories

Debian CVElist Bug Report Logs: newsbeuter: CVE-2017-14500: Podbeuter podcast fetcher: remote code execution
Debian Bug report logs - #876004 newsbeuter: CVE-2017-14500: Podbeuter podcast fetcher: remote code execution Package: src:newsbeuter; Maintainer for src:newsbeuter is Nikos Tsipinakis <nikos@tsipinakiscom>; Reported by: Salvatore Bonaccorso <carnil@debianorg> Date: Sun, 17 Sep 2017 09:27:02 UTC Severity: grave Tag ...
Debian Security Advisories: DSA-3947-1 newsbeuter -- security update
Jeriko One discovered that newsbeuter, a text-mode RSS feed reader, did not properly escape the title and description of a news article when bookmarking it This allowed a remote attacker to run an arbitrary shell command on the client machine For the oldstable distribution (jessie), this problem has been fixed in version 28-2+deb8u1 For the sta ...

References

CWE-943https://github.com/akrennmair/newsbeuter/issues/591https://github.com/akrennmair/newsbeuter/commit/96e9506ae9e252c548665152d1b8968297128307http://www.debian.org/security/2017/dsa-3947https://usn.ubuntu.com/4585-1/https://groups.google.com/forum/#%21topic/newsbeuter/iFqSE7Vz-DEhttps://bugs.debian.org/cgi-bin/bugreport.cgi?bug=876004https://nvd.nist.govhttps://www.debian.org/security/./dsa-3947
CVSSv2
CVSSv2
CVSSv3
VMScore
Recommendations:
CVE-2024-29895blind SQL injectionCVE-2024-5064CVE-2023-52677CVE-2023-52682CVE-2024-30051CVE-2024-35849remote attackersremote
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook