A vulnerability has been discovered in xfce4-settings which could result in universal cross site scripting ("uXSS").
Package | xfce-base/xfce4-settings on all architectures |
---|---|
Affected versions | < 4.17.1 |
Unaffected versions | >= 4.17.1 |
xfce4-settings contains the configuration system for the Xfce desktop environment.
xfce4-settings does not sufficiently sanitize URLs opened via xdg4-mime-helper-tool (which is called when a user clicks a link in e.g. Firefox).
The vulnerability can be leveraged into 1-click universal cross site scripting in some browsers, or potentially other unspecified impact.
There is no known workaround at this time.
All xfce4-settings users should upgrade to the latest version:
# emerge --sync # emerge --ask --oneshot --verbose ">=xfce-base/xfce4-settings-4.17.1"
Release date
May 03, 2023
Latest revision
May 03, 2023: 1
Severity
normal
Exploitable
remote
Bugzilla entries