PT-2017-1081 · W3M+3 · W3M+3

Kcwu

Published

2016-12-07

Updated

2024-06-15

CVE-2016-9436

CVSS v3.1

6.5

Medium

Vector

AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

Name of the Vulnerable Software and Affected Versions w3m versions prior to 0.5.3+git20161009

Description The issue exists due to insufficient input validation in the parsetagx.c function of the w3m service. This can be exploited by a remote attacker using a specially crafted file to bypass certificate validation. Additionally, the vulnerability allows remote attackers to crash the application via a crafted HTML file related to an i tag.

Recommendations For versions prior to 0.5.3+git20161009, update to version 0.5.3+git20161009 or later to resolve the issue. As a temporary workaround, consider restricting the use of the parsetagx.c function until a patch is available. Avoid using the w3m service with untrusted HTML files until the issue is resolved.

Fix

RCE

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-20

Related Identifiers

ALT-PU-2020-3081

ALT-PU-2020-3099

BDU:2017-00174

CVE-2016-9436

MGASA-2018-0024

OPENSUSE-SU-2024:10235-1

SUSE-SU-2016:3046-1

SUSE-SU-2016:3053-1

USN-3214-1

Affected Products

Alt Linux

Suse

Ubuntu

W3M

PT-2017-1081 · W3M+3 · W3M+3

CVE-2016-9436

Weakness Enumeration

Related Identifiers

Affected Products

References · 117