VBScript Injection Vulnerability in GNOME Files with gnome-exe-thumbnailer
CVE-2017-11421

7.8HIGH

Key Information:

Vendor
Gnome-exe-thumbnailer Project
Status
Gnome-exe-thumbnailer
Vendor
CVE Published:
18 July 2017

Summary

The gnome-exe-thumbnailer is susceptible to a VBScript Injection flaw prior to version 0.9.5. This vulnerability allows a local attacker to exploit the GNOME Files file manager. The issue occurs when generating thumbnails for MSI files that contain VBScript code in their filenames, leading to possible execution of malicious scripts when a victim navigates to the affected directory.

References

https://bugs.debian.org/868705
x_refsource_MISC
https://github.com/gnome-exe-thumbnailer/gnome-exe-thumbn...
x_refsource_MISC
http://news.dieweltistgarnichtso.net/posts/gnome-thumbnai...
x_refsource_MISC

CVSS V3.1

Score:
7.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Local
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.