Search
Find a vulnerability
Search criteria
ⓘ
Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.
Related vulnerabilities
PYSEC-2019-199
Vulnerability from pysec - Published: 2019-06-06 19:29 - Updated: 2021-08-27 03:22
VLAI
Details
A code injection issue was discovered in PyXDG before 0.26 via crafted Python code in a Category element of a Menu XML document in a .menu file. XDG_CONFIG_DIRS must be set up to trigger xdg.Menu.parse parsing within the directory containing this file. This is due to a lack of sanitization in xdg/Menu.py before an eval call.
Impacted products
| Name | purl | pyxdg | pkg:pypi/pyxdg |
|---|
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "pyxdg",
"purl": "pkg:pypi/pyxdg"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.26"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"0.19",
"0.20",
"0.21",
"0.22",
"0.23",
"0.24",
"0.25"
]
}
],
"aliases": [
"CVE-2019-12761",
"SNYK-PYTHON-PYXDG-174562",
"GHSA-r6v3-hpxj-r8rv"
],
"details": "A code injection issue was discovered in PyXDG before 0.26 via crafted Python code in a Category element of a Menu XML document in a .menu file. XDG_CONFIG_DIRS must be set up to trigger xdg.Menu.parse parsing within the directory containing this file. This is due to a lack of sanitization in xdg/Menu.py before an eval call.",
"id": "PYSEC-2019-199",
"modified": "2021-08-27T03:22:18.878765Z",
"published": "2019-06-06T19:29:00Z",
"references": [
{
"type": "ADVISORY",
"url": "https://snyk.io/vuln/SNYK-PYTHON-PYXDG-174562"
},
{
"type": "WEB",
"url": "https://gist.github.com/dhondta/b45cd41f4186110a354dc7272916feba"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2019/06/msg00006.html"
},
{
"type": "ADVISORY",
"url": "https://github.com/advisories/GHSA-r6v3-hpxj-r8rv"
}
]
}