vendor:
Linux Mint
by:
b1ack0wl
7.5
CVSS
HIGH
Command Injection
CWE
Product Name: Linux Mint
Affected Version From:
Affected Version To:
Patch Exists: NO
Related CWE:
CPE:
Platforms Tested: Linux
Linux Mint ‘yelp’ URI handler command injection vulnerability
This module exploits a vulnerability within the 'ghelp', 'help' and 'man' URI handlers within Linux Mint's 'ubuntu-system-adjustments' package. Invoking any one the URI handlers will call the python script '/usr/local/bin/yelp' with the contents of the supplied URI handler as its argument. The script will then search for the strings 'gnome-help' or 'ubuntu-help' and if doesn't find either of them it'll then execute os.system('/usr/bin/yelp %s' % args). User interaction is required to exploit this vulnerability.