CVE-2024-36053

Name of the Vulnerable Software and Affected Versions mintupload versions through 4.2.0

Description The issue is related to service-name mishandling, which leads to command injection via shell metacharacters in functions such as check connection, drop data received cb, and Service.remove. A user can modify a service name in a ~/.linuxmint/mintUpload/services/service file to exploit this. The issue enables local attacks and can lead to system compromise.

Recommendations For versions through 4.2.0, patch immediately to prevent system compromise. As a temporary workaround, consider restricting access to the check connection, drop data received cb, and Service.remove functions until a patch is available. Additionally, avoid modifying service names in ~/.linuxmint/mintUpload/services/service files to minimize the risk of exploitation.