Krzysztof Sieluzycki

**Name of the Vulnerable Software and Affected Versions** KDE Plasma Workspace versions prior to 5.12.0 **Description** An issue was discovered in the device service action of KDE Plasma Workspace. When a vfat thumbdrive with a volume label containing `` or $() is plugged in and mounted, it is interpreted as a shell command. This can lead to arbitrary command execution. For example, a volume label like "$(touch b)" can create a file called b in the home folder. **Recommendations** For versions prior to 5.12.0, update to version 5.12.0 or later to resolve the issue. As a temporary workaround, consider avoiding the use of the device notifier to mount vfat thumbdrives with potentially malicious volume labels until a patch is applied. Restrict access to the device notifier to minimize the risk of exploitation.