CVE-2009-0068 — Code Injection in Xdg-utils

CWE-94 — Code Injection4 documents4 sources

Severity

6.8MEDIUMNVD

EPSS

1.4%

top 19.66%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Freedesktop Xdg-utils Debian Xdg-utils

Timeline

PublishedJan 7

Latest updateMay 2

Description

Interaction error in xdg-open allows remote attackers to execute arbitrary code by sending a file with a dangerous MIME type but using a safe type that Firefox sends to xdg-open, which causes xdg-open to process the dangerous file type through automatic type detection, as demonstrated by overwriting the .desktop file.

CVSS vector

AV:N/AC:M/C:P/I:P/A:PExploitability: 8.6 | Impact: 6.4

Affected Packages2 packages

▶NVDfreedesktop/xdg-utils1.0

▶debiandebian/xdg-utils

🔴Vulnerability Details

GHSA

GHSA-c244-p864-46qg: Interaction error in xdg-open allows remote attackers to execute arbitrary code by sending a file with a dangerous MIME type but using a safe type tha↗2022-05-02

▶

📋Vendor Advisories

Debian

CVE-2009-0068: xdg-utils - Interaction error in xdg-open allows remote attackers to execute arbitrary code ...↗2009

▶

💬Community

Bugzilla

CVE-2009-0068 Using xdg-open in mailcap causes hole in Firefox↗2009-01-06

▶