Remote Code Execution Vulnerability in Terminology by Enlightenment
CVE-2018-20167

7.8HIGH

Key Information:

Vendor
Enlightenment
Status
Terminology
Vendor
CVE Published:
17 December 2018

Summary

A vulnerability in Terminology prior to version 1.3.1 allows remote code execution due to improper handling of popmedia control sequences. An attacker can exploit this issue by introducing malicious files in specially crafted software projects, which when executed, may lead to the unintended launch of executable file formats registered with the X desktop share MIME types. This is possible because the control sequence incorrectly delegates unknown file types to the handle_unknown_media() function, ultimately triggering xdg-open on potentially harmful files. Users are urged to upgrade to the latest version to mitigate this risk.

References

https://www.enlightenment.org/news/2018-12-16-terminology...
x_refsource_MISC
https://phab.enlightenment.org/T7504
x_refsource_MISC
https://phab.enlightenment.org/rTRM1ac204da9148e7bccb1b5f...
x_refsource_MISC

CVSS V3.1

Score:
7.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Local
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.
CVE-2018-20167 : Remote Code Execution Vulnerability in Terminology by Enlightenment | SecurityVulnerability.io