XFCE 4.16 allows attackers to execute arbitrary code because xdg-open can execute a .desktop file on an attacker-controlled FTP server.

The remote host is affected by the vulnerability described in GLSA-202409-09 (Exo: Arbitrary Code Execution)

    A vulnerability has been discovered in Exo. Please review the CVE identifiers referenced below for     details.

Tenable has extracted the preceding description block directly from the Gentoo Linux security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Ubuntu 16.04 ESM / 18.04 ESM / 20.04 ESM / 22.04 ESM host has packages installed that are affected by a vulnerability as referenced in the USN-6008-1 advisory.

    It was discovered that Exo did not properly sanitized desktop files. A remote attacker could possibly use     this issue to to cause a crash or arbitrary code execution.

Tenable has extracted the preceding description block directly from the Ubuntu security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Debian 9 host has packages installed that are affected by a vulnerability as referenced in the dla-3056 advisory.

  - XFCE 4.16 allows attackers to execute arbitrary code because xdg-open can execute a .desktop file on an     attacker-controlled FTP server. (CVE-2022-32278)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Debian 10 / 11 host has packages installed that are affected by a vulnerability as referenced in the dsa-5164 advisory.

    It was discovered that exo, a support library for the Xfce desktop environment, would allow executing     remote .desktop files. In some scenario, an attacker could use this vulnerability to trick an user an     execute arbitrary code on the platform with the privileges of that user. For the oldstable distribution     (buster), this problem has been fixed in version 0.12.4-1+deb10u1. For the stable distribution (bullseye),     this problem has been fixed in version 4.16.0-1+deb11u1. We recommend that you upgrade your exo packages.
    For the detailed security status of exo please refer to its security tracker page at: https://security-     tracker.debian.org/tracker/exo

Tenable has extracted the preceding description block directly from the Debian security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The version of FreeBSD installed on the remote host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the 55cff5d2-e95c-11ec-ae20-001999f8d30b advisory.

  - XFCE 4.16 allows attackers to execute arbitrary code because xdg-open can execute a .desktop file on an     attacker-controlled FTP server. (CVE-2022-32278)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Severity
207568	GLSA-202409-09 : Exo: Arbitrary Code Execution	Nessus	Gentoo Local Security Checks	high
174153	Ubuntu 16.04 ESM / 18.04 ESM / 20.04 ESM / 22.04 ESM : Exo vulnerability (USN-6008-1)	Nessus	Ubuntu Local Security Checks	high
162488	Debian DLA-3056-1 : exo - LTS security update	Nessus	Debian Local Security Checks	high
162403	Debian DSA-5164-1 : exo - security update	Nessus	Debian Local Security Checks	high
162134	FreeBSD : XFCE -- Allows executing malicious .desktop files pointing to remote code (55cff5d2-e95c-11ec-ae20-001999f8d30b)	Nessus	FreeBSD Local Security Checks	high

Detections

Analytics

CVE-2022-32278

high

Tenable Plugins

high

high

high

high

high