PT-2017-14840 · Geometry Center+1 · Geomview+1
Glsamaker/Cvetool Bot
·
Published
2017-12-14
·
Updated
2024-08-05
·
CVE-2017-17530
CVSS v3.1
8.8
High
| Vector | AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
Geomview version 1.9.5
Description
The issue concerns the
common/help.c file in Geomview, which does not validate strings before launching the program specified by the BROWSER environment variable. This might allow remote attackers to conduct argument-injection attacks via a crafted URL. However, it is noted that this issue is disputed by a third party because no untrusted input can be used for the injection.Recommendations
For Geomview version 1.9.5, consider validating strings before launching the program specified by the
BROWSER environment variable to prevent potential argument-injection attacks. As a temporary workaround, restrict the use of the BROWSER environment variable to trusted inputs until a more comprehensive solution is available.Exploit
Fix
Special Elements Injection
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Debian
Geomview