CVE-2017-14500

Name of the Vulnerable Software and Affected Versions Newsbeuter versions 0.3 through 2.9

Description The issue is related to improper neutralization of special elements used in an OS command in the podcast playback function of Podbeuter. This allows remote attackers to perform user-assisted code execution by crafting an RSS item with a media enclosure that includes shell metacharacters in its filename. The issue is related to the files pb controller.cpp and queueloader.cpp.

Recommendations For Newsbeuter versions 0.3 through 2.9, consider disabling the podcast playback function until a patch is available to prevent user-assisted code execution. Restrict access to the podcast feature to minimize the risk of exploitation. Avoid using the podcast playback function with RSS items that include media enclosures with potentially malicious filenames. At the moment, there is no information about a newer version that contains a fix for this vulnerability.