CVE-2010-2809

EPSS 5.77%
Published 19.08.2010 22:00:02
Last modified 11.04.2025 00:51:21
Source secalert@redhat.com
CVE-Watchlists
Login
Open
Login

The default configuration of the <Button2> binding in Uzbl before 2010.08.05 does not properly use the @SELECTED_URI feature, which allows user-assisted remote attackers to execute arbitrary commands via a crafted HREF attribute of an A element in an HTML document.

Affected products Warnungen 0 Metrics 2 CWE 1 References 13

Data is provided by the National Vulnerability Database (NVD)

Uzbl ≫ Uzbl Version <= 2010.04.03

Uzbl ≫ Uzbl Version2009.12.22

Uzbl ≫ Uzbl Version2010.01.04

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	5.77%	0.899

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	6.8	8.6	6.4	AV:N/AC:M/Au:N/C:P/I:P/A:P

CWE-94 Improper Control of Generation of Code ('Code Injection')

The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

http://github.com/Dieterbe/uzbl/commit/9cc39cb5c9396be013b5dc2ba7e4b3eaa647e975

http://github.com/pawelz/uzbl/commit/342f292c27973c9df5f631a38bd12f14a9c5cdc2

http://marc.info/?l=oss-security&m=128111493509265&w=2

http://marc.info/?l=oss-security&m=128111994317381&w=2

http://www.securityfocus.com/bid/42297

http://www.uzbl.org/bugs/index.php?do=details&task_id=240

http://www.uzbl.org/news.php?id=29

Patch

https://bugzilla.redhat.com/show_bug.cgi?id=621964

https://bugzilla.redhat.com/show_bug.cgi?id=621965

https://exchange.xforce.ibmcloud.com/vulnerabilities/61011

https://nvd.nist.gov/vuln/detail/CVE-2010-2809

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2010-2809

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2010-2809

EUVD