CVE-2017-17525

Name of the Vulnerable Software and Affected Versions xTuple PostBooks version 4.7.0

Description The issue concerns the guiclient/guiclient.cpp component in xTuple PostBooks, which fails to validate strings before launching a program specified by the BROWSER environment variable. This could potentially allow remote attackers to conduct argument-injection attacks via a crafted URL.

Recommendations For xTuple PostBooks version 4.7.0, consider validating strings before launching the program specified by the BROWSER environment variable to prevent argument-injection attacks. As a temporary workaround, restrict the use of the BROWSER environment variable until a patch is available.