Miggo Logo
Miggo Vulnerability Database
CVE-2019-12761

CVE-2019-12761: Code Injection in PyXDG

7.5

CVSS Score
3.0

Basic Information

CVE ID
CVE-2019-12761
GHSA ID
GHSA-r6v3-hpxj-r8rv
EPSS Score
0.55812%
CWE
CWE-94
Published
6/7/2019
Updated
10/15/2024
KEV Status
No
Technology
TechnologyPython

Technical Details

CVSS Vector
CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
pyxdgpip< 0.260.26

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from the xdg.Menu.parse function in xdg/Menu.py, which parses .menu files. The exploit involves injecting Python code into a 'Category' element, which is then passed to eval() without proper sanitization. The PoC demonstrates that triggering xdg.Menu.parse on a malicious .menu file executes arbitrary commands via this eval call. The advisory explicitly attributes the issue to a lack of sanitization before eval in this component, confirming the function's role in the vulnerability.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

* *o** inj**tion issu* w*s *is*ov*r** in PyX** ***or* *.** vi* *r**t** Pyt*on *o** in * **t**ory *l*m*nt o* * M*nu XML *o*um*nt in * .m*nu *il*. X**_*ON*I*_*IRS must ** s*t up to tri***r x**.M*nu.p*rs* p*rsin* wit*in t** *ir**tory *ont*inin* t*is *il

Reasoning

T** vuln*r**ility st*ms *rom t** `x**.M*nu.p*rs*` *un*tion in `x**/M*nu.py`, w*i** p*rs*s `.m*nu` *il*s. T** *xploit involv*s inj**tin* Pyt*on *o** into * '**t**ory' *l*m*nt, w*i** is t**n p*ss** to `*v*l()` wit*out prop*r s*nitiz*tion. T** Po* **mon