Pidgin < 2.12.0 libpurple/util.c purple_markup_unescape_entity() XML Entity Handling RCE
High Nessus Plugin ID 97947
SynopsisAn instant messaging client installed on the remote host is affected by a remote code execution vulnerability.
DescriptionThe version of Pidgin installed on the remote Windows host is prior to 2.12.0. It is, therefore, affected by a remote code execution vulnerability in the libpurple library in util.c due to an out-of-bounds writer error in the purple_markup_unescape_entity() function that is triggered when handling invalid XML entities separated by whitespaces. An unauthenticated, remote attacker can exploit this, via a malicious server, to execute arbitrary code.
SolutionUpgrade to Pidgin version 2.12.0 or later.