CVE-2017-17524

Name of the Vulnerable Software and Affected Versions SWI-Prolog version 7.2.3

Description The issue is related to the library/www browser.pl in SWI-Prolog, which does not validate strings before launching the program specified by the BROWSER environment variable. This could allow remote attackers to conduct argument-injection attacks via a crafted URL.

Recommendations For SWI-Prolog version 7.2.3, consider validating strings before launching the program specified by the BROWSER environment variable to prevent argument-injection attacks. As a temporary workaround, restrict the use of the BROWSER environment variable until a patch is available.