CVE-2017-18266

Name of the Vulnerable Software and Affected Versions: xdg-utils versions prior to 1.1.3

Description: The issue is related to the open envvar function in xdg-open, which does not properly validate strings before launching the program specified by the BROWSER environment variable. This could allow remote attackers to conduct argument-injection attacks via a crafted URL. For example, using %s in the BROWSER environment variable could lead to such an attack. The vulnerability might also allow a remote attacker to gain unauthorized access to information and disrupt its integrity and availability.

Recommendations: For versions prior to 1.1.3, update to version 1.1.3 or later to resolve the issue. As a temporary workaround, consider validating the strings passed to the open envvar function or restricting the use of the BROWSER environment variable to minimize the risk of exploitation.