In KDE Frameworks KConfig before 5.61.0, malicious desktop files and configuration files lead to code execution with minimal user interaction. This relates to, and the mishandling of .desktop and .directory files, as demonstrated by a shell command on an Icon line in a .desktop file.

References[email protected]/message/5IRIKH7ZWXELIQT6WSLV7EG3VTFWKZPD/[email protected]/message/FNHO6FZRYBQ2R3UCFDGS66F6DNNTKCMM/[email protected]/message/UYKLUSSEK3YJOVQDL6K2LKGS3354UH6L/[email protected]/message/WTFBQRJAU7ITD3TOMPZAUQMYYCAZ6DTX/[email protected]/message/YIDXQ6CUB5E7Y3MJWCUY4VR42QAE6SCJ/


Source: MITRE

Published: 2019-08-07

Updated: 2019-08-15

Type: CWE-77

Risk Information

CVSS v2.0

Base Score: 5.1

Vector: AV:N/AC:H/Au:N/C:P/I:P/A:P

Impact Score: 6.4

Exploitability Score: 4.9

Severity: MEDIUM

CVSS v3.0

Base Score: 7.8

Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Impact Score: 5.9

Exploitability Score: 1.8

Severity: HIGH