CVE-2017-5078

Name of the Vulnerable Software and Affected Versions Google Chrome versions prior to 59.0.3071.86

Description The issue is related to insufficient validation of untrusted input in Blink's mailto: handling, allowing a remote attacker to perform command injection via a crafted HTML page. This is similar to a previously known issue. For example, characters such as * interact incorrectly with xdg-email in xdg-utils, and a space character can be used in front of a command-line argument.

Recommendations For Google Chrome versions prior to 59.0.3071.86, update to version 59.0.3071.86 or later to resolve the issue. As a temporary workaround, consider avoiding the use of mailto: links in HTML pages until the update is applied. Restrict access to the xdg-email utility in xdg-utils to minimize the risk of exploitation. Avoid using characters such as * and space in front of command-line arguments in mailto: links.