Code Injection in PyXDG
High severity
GitHub Reviewed
Published
Jun 7, 2019
to the GitHub Advisory Database
•
Updated Feb 1, 2023
Description
Published by the National Vulnerability Database
Jun 6, 2019
Reviewed
Jun 7, 2019
Published to the GitHub Advisory Database
Jun 7, 2019
Last updated
Feb 1, 2023
A code injection issue was discovered in PyXDG before 0.26 via crafted Python code in a Category element of a Menu XML document in a .menu file. XDG_CONFIG_DIRS must be set up to trigger xdg.Menu.parse parsing within the directory containing this file. This is due to a lack of sanitization in xdg/Menu.py before an eval call.
References