CVE-2012-5534 — Improper Input Validation in Weechat

CWE-20 — Improper Input Validation7 documents5 sources

Severity

7.5HIGHNVD

EPSS

2.0%

top 16.39%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Weechat Debian Weechat Flashtux Weechat

Timeline

PublishedDec 3

Latest updateMay 17

Description

The hook_process function in the plugin API for WeeChat 0.3.0 through 0.3.9.1 allows remote attackers to execute arbitrary commands via shell metacharacters in a command from a plugin, related to "shell expansion."

CVSS vector

AV:N/AC:L/C:P/I:P/A:PExploitability: 10.0 | Impact: 6.4

Affected Packages3 packages

▶debiandebian/weechat< weechat 0.3.9.2-1 (bookworm)

▶Debianweechat/weechat< 0.3.9.2-1+3

▶NVDflashtux/weechat11 versions+10

Patches

Patch: weechat.org ↗Patch: weechat.org ↗

🔴Vulnerability Details

GHSA

GHSA-q88q-j4pq-r9xg: The hook_process function in the plugin API for WeeChat 0↗2022-05-17

▶

OSV

CVE-2012-5534: The hook_process function in the plugin API for WeeChat 0↗2012-12-03

▶

📋Vendor Advisories

Debian

CVE-2012-5534: weechat - The hook_process function in the plugin API for WeeChat 0.3.0 through 0.3.9.1 al...↗2012

▶

💬Community

Bugzilla

CVE-2012-5534 weechat (scripts / plug-ins): Arbitrary code execution due to call of shell when executing command within hook_process [epel-6]↗2012-11-19

▶

Bugzilla

CVE-2012-5534 weechat (scripts / plug-ins): Arbitrary code execution due to call of shell when executing command within hook_process [fedora-all]↗2012-11-19

▶

Bugzilla

CVE-2012-5534 weechat (scripts / plug-ins): Arbitrary code execution due to call of shell when executing command within hook_process↗2012-11-19

▶