CVE-2023-1350

Name of the Vulnerable Software and Affected Versions liferea (affected versions not specified)

Description A critical issue has been found, affecting the function update job run of the file src/update.c in the component Feed Enrichment. The manipulation of the argument source with the input |date >/tmp/bad-item-link.txt leads to os command injection. This issue can be exploited remotely.

Recommendations To fix this issue, it is recommended to apply a patch. Specifically, the patch named 8d8b5b963fa64c7a2122d1bbfbb0bed46e813e59 should be applied. As a temporary workaround, consider disabling the update job run function until a patch is available. Additionally, if "Extract full content from HTML5 and Google AMP" has been enabled for one or more feed subscriptions, it is recommended to restrict this feature to minimize the risk of exploitation.