Skip to content

Topydo Improper Input Validation vulnerability

High severity GitHub Reviewed Published Sep 13, 2018 to the GitHub Advisory Database • Updated Aug 17, 2023

Package

pip topydo (pip)

Affected versions

<= 0.13

Patched versions

None

Description

topydo contains a CWE-20: Improper Input Validation vulnerability in ListFormatParser::parse, file topydo/lib/ListFormat.py line 292 as of d4f843dac71308b2f29a7c2cdc76f055c3841523 that can result in Injection of arbitrary bytes to the terminal, including terminal escape code sequences. This attack appear to be exploitable via The victim must open a todo.txt with at least one specially crafted line.

References

Published to the GitHub Advisory Database Sep 13, 2018
Reviewed Jun 16, 2020
Last updated Aug 17, 2023

Severity

High
8.1
/ 10

CVSS base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
None
User interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
High
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H

Weaknesses

CVE ID

CVE-2018-1000523

GHSA ID

GHSA-h6h9-pphv-m266

Source code

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.