Description

In Python (aka CPython) through 3.10.4, the mailcap module does not add escape characters into commands discovered in the system mailcap file. This may allow attackers to inject shell commands into applications that call mailcap.findmatch with untrusted input (if they lack validation of user-provided filenames or arguments).

Remediation

References

CVE-2015-20107

Related Vulnerabilities

Oracle Database Server CVE-2011-0822 Vulnerability (CVE-2011-0822)

WordPress Plugin Ultimate Maps by Supsystic Cross-Site Scripting (1.2.4)

WordPress Plugin Post SMTP-WP SMTP with Email Logs & Mobile App for Failure Alerts-Any SMTP Plus Gmail SMTP, Office 365, Brevo, Mailgun, Amazon SES, Postmark Multiple Cross-Site Request Forgery Vulnerabilities (2.5.6)

Liferay DXP Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Vulnerability (CVE-2022-42111)

Joomla! Core 3.x.x Cross-Site Scripting (3.1.0 - 3.9.23)

Severity

Critical

Classification

CVE-2015-20107 CWE-138 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Tags

Missing Update Known Vulnerabilities