Lucene search

BLSOPSCVELIST:CVE-2023-3434

HistoryJul 14, 2023 - 12:29 p.m.

CVE-2023-3434 QRC Handler without Input Validation in Jami

2023-07-1412:29:34

CWE-20

BLSOPS

www.cve.org

cve-2023-3434

input validation

savoir-faire linux's jami

windows

html anchor tag

messenger

CVSS3

4.4

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

LOW

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:L

AI Score

5.7

Confidence

High

EPSS

0.001

Percentile

33.9%

JSON

Improper Input Validation in the hyperlink interpretation in Savoir-faire Linux’s Jami (version 20222284) on Windows.

This allows an attacker to send a custom HTML anchor tag to pass a string value to the Windows QRC Handler through the Jami messenger.

CNA Affected

[
  {
    "defaultStatus": "unaffected",
    "platforms": [
      "Windows"
    ],
    "product": "Jami",
    "repo": "https://git.jami.net/savoirfairelinux",
    "vendor": "Savoir-faire Linux",
    "versions": [
      {
        "status": "affected",
        "version": "20222284"
      }
    ]
  }
]

References

blog.blacklanternsecurity.com/p/Jami-Local-Denial-Of-Service-and-QRC-Handler-Vulnerabilities

git.jami.net/savoirfairelinux/jami-client-qt/-/wikis/Changelog#nightly-january-10

review.jami.net/c/jami-client-qt/+/23569

CVSS3

4.4

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

LOW

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:L

AI Score

5.7

Confidence

High

EPSS

0.001

Percentile

33.9%

JSON

Related for CVELIST:CVE-2023-3434