PYSEC-2019-199

See a problem?

Import Source

https://github.com/pypa/advisory-database/blob/main/vulns/pyxdg/PYSEC-2019-199.yaml

JSON Data

https://api.test.osv.dev/v1/vulns/PYSEC-2019-199

Aliases

CVE-2019-12761
GHSA-r6v3-hpxj-r8rv
SNYK-PYTHON-PYXDG-174562

Published

2019-06-06T19:29:00Z

Modified

2023-11-01T05:28:11.947410Z

Summary

[none]

Details

A code injection issue was discovered in PyXDG before 0.26 via crafted Python code in a Category element of a Menu XML document in a .menu file. XDGCONFIGDIRS must be set up to trigger xdg.Menu.parse parsing within the directory containing this file. This is due to a lack of sanitization in xdg/Menu.py before an eval call.

References

https://snyk.io/vuln/SNYK-PYTHON-PYXDG-174562
https://gist.github.com/dhondta/b45cd41f4186110a354dc7272916feba
https://lists.debian.org/debian-lts-announce/2019/06/msg00006.html
https://github.com/advisories/GHSA-r6v3-hpxj-r8rv

Affected packages

PyPI / pyxdg

Package

Name: pyxdg; View open source insights on deps.dev
Purl: pkg:pypi/pyxdg

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

0.26

Affected versions

0.*

0.19

0.20

0.21

0.22

0.23

0.24

0.25