Lucene search

GitHub Advisory DatabaseGHSA-H6H9-PPHV-M266

HistorySep 13, 2018 - 3:47 p.m.

Topydo Improper Input Validation vulnerability

2018-09-1315:47:26

CWE-20

GitHub Advisory Database

github.com

5.8 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:N/I:P/A:P

8.1 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H

0.001 Low

EPSS

Percentile

43.6%

JSON

topydo contains a CWE-20: Improper Input Validation vulnerability in ListFormatParser::parse, file topydo/lib/ListFormat.py line 292 as of d4f843dac71308b2f29a7c2cdc76f055c3841523 that can result in Injection of arbitrary bytes to the terminal, including terminal escape code sequences. This attack appear to be exploitable via The victim must open a todo.txt with at least one specially crafted line.

Affected configurations

Vulners

Node

topydotopydoRange≤0.13

CPENameOperatorVersion
topydole0.13

CPE	Name	Operator	Version
	topydo	le	0.13

References

github.com/advisories/GHSA-h6h9-pphv-m266

github.com/bram85/topydo/blob/master/topydo/lib/ListFormat.py#L292

github.com/bram85/topydo/issues/240

nvd.nist.gov/vuln/detail/CVE-2018-1000523

5.8 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:N/I:P/A:P

8.1 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H

0.001 Low

EPSS

Percentile

43.6%

JSON

Related for GHSA-H6H9-PPHV-M266