Command Injection Vulnerability in spice-vdagent by FreeDesktop
CVE-2017-15108
7.8HIGH
Summary
The spice-vdagent component up to version 0.17.0 is susceptible to a command injection vulnerability due to inadequate escaping of the save directory before it is passed to the shell. This weakness allows a local attacker, equipped with access to the session in which the agent operates, to execute arbitrary commands, potentially leading to unauthorized system control or data exposure.
Affected Version(s)
spice-vdagent up to and including 0.17.0
References
CVSS V3.1
Score:
7.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Local
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged
Timeline
Vulnerability published
Vulnerability Reserved