CVE-2017-17512

Name of the Vulnerable Software and Affected Versions sensible-utils versions prior to 0.0.11

Description The issue allows remote attackers to conduct argument-injection attacks via a crafted URL. This is possible because the sensible-browser in sensible-utils does not validate strings before launching the program specified by the BROWSER environment variable. For example, a crafted URL could include a --proxy-pac-file argument to exploit this issue.

Recommendations For versions prior to 0.0.11, update to version 0.0.11 or later to resolve the issue. As a temporary workaround, consider validating the BROWSER environment variable to prevent argument-injection attacks. Restrict access to the sensible-browser to minimize the risk of exploitation. Avoid using untrusted URLs to prevent potential attacks until the issue is resolved.