CVE-2013-1436
published 2014-10-06CVE-2013-1436: The XMonad.Hooks.DynamicLog module in xmonad-contrib before 0.11.2 allows remote attackers to execute arbitrary commands via a web page title, which activates…
PriorityP355high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
8.98%
94.6th percentile
The XMonad.Hooks.DynamicLog module in xmonad-contrib before 0.11.2 allows remote attackers to execute arbitrary commands via a web page title, which activates the commands when the user clicks on the xmobar window title, as demonstrated using an action tag.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | xmonad-contrib | < xmonad-contrib 0.11.2-1 (bookworm) | xmonad-contrib 0.11.2-1 (bookworm) |
| xmonad | xmonad-contrab | <= 0.11.1 | — |
| xmonad | xmonad-contrab | — | — |
CVSS provenance
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv7.5HIGH
vendor_debian7.5LOW
vendor_redhat7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
libX11: buffer overflow in MakeBigReq macro
vendor_redhat·2013-03-09·CVSS 7.5
CVE-2013-7439 [HIGH] CWE-119 libX11: buffer overflow in MakeBigReq macro
libX11: buffer overflow in MakeBigReq macro
Multiple off-by-one errors in the (1) MakeBigReq and (2) SetReqLen macros in include/X11/Xlibint.h in X11R6.x and libX11 before 1.6.0 allow remote attackers to have unspecified impact via a crafted request, which triggers a buffer overflow.
Statement: This issue does not affect the version of libX11 package as shipped with Red Hat Enterprise Linux 7.
This issue was was fixed in Red Hat Enterprise Linux 6 via the following security advisory:
https://rhn.redhat.com/errata/RHSA-2014-1436.html
This issue affects the version of libX11 package as shipped with Red Hat Enterprise Linux 5. Red Hat Enterprise Linux 5 is now in Extended Life Cycle phase of the support and maintenance life cycle. This issue is not currently planned to be addressed in futur
Debian
CVE-2013-1436: xmonad-contrib - The XMonad.Hooks.DynamicLog module in xmonad-contrib before 0.11.2 allows remote...
vendor_debian·2013·CVSS 7.5
CVE-2013-1436 [HIGH] CVE-2013-1436: xmonad-contrib - The XMonad.Hooks.DynamicLog module in xmonad-contrib before 0.11.2 allows remote...
The XMonad.Hooks.DynamicLog module in xmonad-contrib before 0.11.2 allows remote attackers to execute arbitrary commands via a web page title, which activates the commands when the user clicks on the xmobar window title, as demonstrated using an action tag.
Scope: local
bookworm: resolved (fixed in 0.11.2-1)
bullseye: resolved (fixed in 0.11.2-1)
forky: resolved (fixed in 0.11.2-1)
sid: resolved (fixed in 0.11.2-1)
trixie: resolved (fixed in 0.11.2-1)
OSV
code injection in xmonad-contrib
osv·2025-11-14
CVE-2013-1436 code injection in xmonad-contrib
code injection in xmonad-contrib
# code injection in *xmonad-contrib*
The `XMonad.Hooks.DynamicLog` module in _xmonad-contrib_ before
**0.11.2** allows remote attackers to execute arbitrary commands via a
web page title, which activates the commands when the user clicks on
the xmobar window title, as demonstrated using an action tag.
GHSA
GHSA-w6w5-x32x-cg2w: The XMonad
ghsa_unreviewed·2022-05-17
CVE-2013-1436 [HIGH] CWE-94 GHSA-w6w5-x32x-cg2w: The XMonad
The XMonad.Hooks.DynamicLog module in xmonad-contrib before 0.11.2 allows remote attackers to execute arbitrary commands via a web page title, which activates the commands when the user clicks on the xmobar window title, as demonstrated using an action tag.
OSV
CVE-2013-1436: The XMonad
osv·2014-10-06·CVSS 7.5
CVE-2013-1436 [HIGH] CVE-2013-1436: The XMonad
The XMonad.Hooks.DynamicLog module in xmonad-contrib before 0.11.2 allows remote attackers to execute arbitrary commands via a web page title, which activates the commands when the user clicks on the xmobar window title, as demonstrated using an action tag.
No detection rules found.
Bugzilla
CVE-2013-7439 libX11: buffer overflow in MakeBigReq macro
bugzilla·2015-04-08·CVSS 7.5
CVE-2013-7439 [HIGH] CVE-2013-7439 libX11: buffer overflow in MakeBigReq macro
CVE-2013-7439 libX11: buffer overflow in MakeBigReq macro
The MakeBigReq macro in libX11 before version 1.5.99.901 contained a 4-byte buffer overflow:
https://bugs.freedesktop.org/show_bug.cgi?id=56508
Fixed by the following commit in libX11 1.5.99.901:
http://cgit.freedesktop.org/xorg/lib/libX11/commit/?id=39547d600a13713e15429f49768e54c3173c828d
CVE request: http://seclists.org/oss-sec/2015/q2/73
Discussion:
Statement:
This issue does not affect the version of libX11 package as shipped with Red Hat Enterprise Linux 7.
This issue was was fixed in Red Hat Enterprise Linux 6 via the following security advisory:
https://rhn.redhat.com/errata/RHSA-2014-1436.html
This issue affects the version of libX11 package as shipped with Red Hat Enterprise Linux 5. Red Hat Enterprise Linux 5 i
Bugzilla
CVE-2013-1436 XMonad.Hooks.DynamicLog remote command injection flaw
bugzilla·2013-07-29·CVSS 7.5
CVE-2013-1436 [HIGH] CVE-2013-1436 XMonad.Hooks.DynamicLog remote command injection flaw
CVE-2013-1436 XMonad.Hooks.DynamicLog remote command injection flaw
It was reported [1] that XMonad's contributed DynamicLog module was vulnerable to a remote command injection flaw. From the report:
Background
DynamicLog module feeds information to others programs about what's
happening on xmonad window manager. Such programs generally are status bars
as xmobar or dzen2. These programs features the ability of receiving
formatted input from stdin, and that's the way used by xmonad to
communicate information such as workspace status, current layout and window
title. So far, so good.
Both bars uses some meta-language to format their input. For example,
xmobar will make the following text clickable.
Click to clock
Vulnerability & exploit
As we know, web browsers usually set the window ti
Bugzilla
CVE-2013-1436 ghc-xmonad-contrib: XMonad.Hooks.DynamicLog remote command injection flaw [fedora-all]
bugzilla·2013-07-29·CVSS 7.5
CVE-2013-1436 [HIGH] CVE-2013-1436 ghc-xmonad-contrib: XMonad.Hooks.DynamicLog remote command injection flaw [fedora-all]
CVE-2013-1436 ghc-xmonad-contrib: XMonad.Hooks.DynamicLog remote command injection flaw [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When creating a Bodhi update request, please use the bodhi submission link
noted in the next comment(s). This will include the bug IDs of this
tracking bug as well as the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
Bodhi notes field when available.
Plea
Bugzilla
CVE-2013-1436 ghc-xmonad-contrib: XMonad.Hooks.DynamicLog remote command injection flaw [epel-6]
bugzilla·2013-07-29·CVSS 7.5
CVE-2013-1436 [HIGH] CVE-2013-1436 ghc-xmonad-contrib: XMonad.Hooks.DynamicLog remote command injection flaw [epel-6]
CVE-2013-1436 ghc-xmonad-contrib: XMonad.Hooks.DynamicLog remote command injection flaw [epel-6]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora EPEL.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When creating a Bodhi update request, please use the bodhi submission link
noted in the next comment(s). This will include the bug IDs of this
tracking bug as well as the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
Bodhi notes field when available.
epe
http://handra.rampa.sk/dawb/patch?repoPURL=http%3A%2F%2Fcode.haskell.org%2FXMonadContrib&repoPHash=20130708144813-1499c-0c3e284d3523c0694b9423714081761813bc1e89http://security.gentoo.org/glsa/glsa-201405-28.xmlhttp://www.openwall.com/lists/oss-security/2013/07/26/5http://www.securityfocus.com/bid/61491http://handra.rampa.sk/dawb/patch?repoPURL=http%3A%2F%2Fcode.haskell.org%2FXMonadContrib&repoPHash=20130708144813-1499c-0c3e284d3523c0694b9423714081761813bc1e89http://security.gentoo.org/glsa/glsa-201405-28.xmlhttp://www.openwall.com/lists/oss-security/2013/07/26/5http://www.securityfocus.com/bid/61491
2014-10-06
Published