PYSEC-2018-76

Vulnerability from pysec - Published: 2018-06-26 16:29 - Updated: 2021-08-25 04:30
VLAI?
Details

topydo contains a CWE-20: Improper Input Validation vulnerability in ListFormatParser::parse, file topydo/lib/ListFormat.py line 292 as of d4f843dac71308b2f29a7c2cdc76f055c3841523 that can result in Injection of arbitrary bytes to the terminal, including terminal escape code sequences. This attack appear to be exploitable via The victim must open a todo.txt with at least one specially crafted line..

Impacted products
Name purl
topydo pkg:pypi/topydo
Aliases
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "topydo",
        "purl": "pkg:pypi/topydo"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "0.1",
        "0.1.1",
        "0.1.2",
        "0.10",
        "0.10.1",
        "0.11",
        "0.12",
        "0.13",
        "0.14",
        "0.2",
        "0.3",
        "0.3.1",
        "0.3.2",
        "0.4",
        "0.4.1",
        "0.5",
        "0.6",
        "0.7",
        "0.8",
        "0.9"
      ]
    }
  ],
  "aliases": [
    "CVE-2018-1000523",
    "GHSA-h6h9-pphv-m266"
  ],
  "details": "topydo contains a CWE-20: Improper Input Validation vulnerability in ListFormatParser::parse, file topydo/lib/ListFormat.py line 292 as of d4f843dac71308b2f29a7c2cdc76f055c3841523 that can result in Injection of arbitrary bytes to the terminal, including terminal escape code sequences. This attack appear to be exploitable via The victim must open a todo.txt with at least one specially crafted line..",
  "id": "PYSEC-2018-76",
  "modified": "2021-08-25T04:30:33.312157Z",
  "published": "2018-06-26T16:29:00Z",
  "references": [
    {
      "type": "REPORT",
      "url": "https://github.com/bram85/topydo/issues/240"
    },
    {
      "type": "WEB",
      "url": "https://github.com/bram85/topydo/blob/master/topydo/lib/ListFormat.py#L292"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/advisories/GHSA-h6h9-pphv-m266"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.