Description

** DISPUTED ** Lib/webbrowser.py in Python through 3.6.3 does not validate strings before launching the program specified by the BROWSER environment variable, which might allow remote attackers to conduct argument-injection attacks via a crafted URL. NOTE: a software maintainer indicates that exploitation is impossible because the code relies on subprocess.Popen and the default shell=False setting.

Remediation

References

CVE-2017-17522

Related Vulnerabilities

WordPress Plugin FunCaptcha-Anti-Spam CAPTCHA Multiple Cross-Site Scripting Vulnerabilities (0.4.3)

WordPress Plugin User Submitted Posts Cross-Site Scripting (20151113)

WordPress Plugin Ultimate Maps by Supsystic SQL Injection (1.1.12)

WordPress Plugin WP Review Slider SQL Injection (10.9)

WordPress Plugin YITH WooCommerce Gift Cards Security Bypass (1.3.7)

Severity

High

Classification

CVE-2017-17522 CWE-138 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Tags

Missing Update Known Vulnerabilities