VYPR
High severity8.8NVD Advisory· Published Dec 14, 2017· Updated Jun 17, 2026

CVE-2017-17520

CVE-2017-17520

Description

tools/url_handler.pl in TIN 2.4.1 does not validate strings before launching the program specified by the BROWSER environment variable, which might allow remote attackers to conduct argument-injection attacks via a crafted URL. NOTE: a third party has reported that this is intentional behavior, because the documentation states "url_handler.pl was designed to work together with tin which only issues shell escaped absolute URLs.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

3
  • Tin/Tininferred2 versions
    = 2.4.1+ 1 more
    • (no CPE)range: = 2.4.1
    • (no CPE)range: =2.4.1
  • cpe:2.3:a:debian:tin:2.4.1:*:*:*:*:*:*:*

Patches

Vulnerability mechanics

References

1

News mentions

0

No linked articles in our index yet.