Improper Neutralization of Argument Delimiters in a Command in xfce4-settings

#VU69197 Improper Neutralization of Argument Delimiters in a Command in xfce4-settings

Published: 2022-11-10

Vulnerability identifier: #VU69197

Vulnerability risk: High

CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-45062

CWE-ID: CWE-88

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
xfce4-settings
Other software / Other software solutions

Vendor: xfce-mirror

Description

The vulnerability allows a remote attacker to compromise the affected system.

The vulnerability exists due to improper handling of arguments in xfce4-mime-helper. A remote attacker can trick the victim into opening a specially crafted URL and execute arbitrary OS commands on the system.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

xfce4-settings: 4.16.0 - 4.17.0

External links
http://gitlab.xfce.org/xfce/xfce4-settings/-/commit/55e3c5fb667e96ad1412cf249879262b369d28d7
http://gitlab.xfce.org/xfce/xfce4-settings/-/commit/f34a92a84f96268ad24a7a13fd5edc9f1d526110
http://gitlab.xfce.org/xfce/xfce4-settings/-/issues/390

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Ubuntu update for xfce4-settings

Gentoo update for xfce4-settings

Debian update for xfce4-settings

openEuler 22.03 LTS update for xfce4-settings

Slackware Linux update for xfce4-settings

Remote code execution in xfce4-settings