In the mintupload package through 4.2.0 for Linux Mint, service-name mishandling leads to command injection via shell metacharacters in check_connection, drop_data_received_cb, and Service.remove. A user can modify a service name in a ~/.linuxmint/mintUpload/services/service file.
[
{
"cpes": [
"cpe:2.3:a:linuxmint:mintupload:-:*:*:*:*:*:*:*"
],
"vendor": "linuxmint",
"product": "mintupload",
"versions": [
{
"status": "affected",
"version": "-",
"versionType": "semver",
"lessThanOrEqual": "4.2.0"
}
],
"defaultStatus": "unknown"
}
]