Bugzilla – Bug 1200518
VUL-0: CVE-2022-32278: exo: xdg-open can execute a .desktop file on a server
Last modified: 2022-06-14 10:15:01 UTC
CVE-2022-32278 XFCE 4.16 allows attackers to execute arbitrary code because xdg-open can execute a .desktop file on an attacker-controlled FTP server. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-32278 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-32278 http://www.cvedetails.com/cve/CVE-2022-32278/ https://medium.com/@gother.lain https://www.linkedin.com/in/igo0r/ https://gitlab.xfce.org/xfce/exo/-/commit/c71c04ff5882b2866a0d8506fb460d4ef796de9f
The following codestreams should be affected: - openSUSE:Factory/exo - openSUSE:Backports:SLE-15-SP3/exo - openSUSE:Backports:SLE-15-SP4/exo