CVE-2016-9436 — Improper Input Validation in W3M

CWE-20 — Improper Input Validation CWE-456 — Missing Initialization of a Variable8 documents8 sources

Severity

6.5MEDIUMNVD

EPSS

1.4%

top 19.83%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Tats W3M Opensuse Leap Opensuse Project Leap

Timeline

PublishedJan 20

Latest updateMay 14

Description

parsetagx.c in w3m before 0.5.3+git20161009 does not properly initialize values, which allows remote attackers to crash the application via a crafted html file, related to a tag.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:HExploitability: 2.8 | Impact: 3.6

Affected Packages4 packages

▶Debiantats/w3m< 0.5.3-30+3

▶NVDtats/w3m0.5.3\+git20160718

▶NVDopensuse/leap42.2

▶NVDopensuse_project/leap42.1

Patches

Patch: www.openwall.com ↗Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

GHSA

GHSA-5j3m-7p74-crqv: parsetagx↗2022-05-14

▶

OSV

CVE-2016-9436: parsetagx↗2017-01-20

▶

CVEList

CVE-2016-9436: parsetagx↗2017-01-20

▶

📋Vendor Advisories

Ubuntu

w3m vulnerabilities↗2017-03-02

▶

Red Hat

w3m: Unitialised value in parsetagx.c↗2016-08-17

▶

Debian

CVE-2016-9436: w3m - parsetagx.c in w3m before 0.5.3+git20161009 does not properly initialize values,...↗2016

▶

💬Community

Bugzilla

CVE-2016-9436 w3m: Unitialised value in parsetagx.c↗2016-11-29

▶