CVE-2016-9435 — Improper Input Validation in W3M

CWE-20 — Improper Input Validation CWE-456 — Missing Initialization of a Variable8 documents8 sources

Severity

6.5MEDIUMNVD

EPSS

1.4%

top 19.47%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Tats W3M Opensuse Leap Opensuse Project Leap

Timeline

PublishedJan 20

Latest updateMay 14

Description

The HTMLtagproc1 function in file.c in w3m before 0.5.3+git20161009 does not properly initialize values, which allows remote attackers to crash the application via a crafted html file, related to tags.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:HExploitability: 2.8 | Impact: 3.6

Affected Packages4 packages

▶Debiantats/w3m< 0.5.3-30+3

▶NVDtats/w3m0.5.3\+git20160718

▶NVDopensuse/leap42.2

▶NVDopensuse_project/leap42.1

Patches

Patch: www.openwall.com ↗Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

GHSA

GHSA-5j5f-5jrw-f736: The HTMLtagproc1 function in file↗2022-05-14

▶

CVEList

CVE-2016-9435: The HTMLtagproc1 function in file↗2017-01-20

▶

OSV

CVE-2016-9435: The HTMLtagproc1 function in file↗2017-01-20

▶

📋Vendor Advisories

Ubuntu

w3m vulnerabilities↗2017-03-02

▶

Red Hat

w3m: Unitialised value in file.c↗2016-08-17

▶

Debian

CVE-2016-9435: w3m - The HTMLtagproc1 function in file.c in w3m before 0.5.3+git20161009 does not pro...↗2016

▶

💬Community

Bugzilla

CVE-2016-9435 w3m: Unitialised value in file.c↗2016-11-29

▶