High severity8.8NVD Advisory· Published Dec 14, 2017· Updated May 13, 2026
CVE-2017-17520
CVE-2017-17520
Description
tools/url_handler.pl in TIN 2.4.1 does not validate strings before launching the program specified by the BROWSER environment variable, which might allow remote attackers to conduct argument-injection attacks via a crafted URL. NOTE: a third party has reported that this is intentional behavior, because the documentation states "url_handler.pl was designed to work together with tin which only issues shell escaped absolute URLs.
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1- security-tracker.debian.org/tracker/CVE-2017-17520nvdIssue TrackingThird Party Advisory
News mentions
0No linked articles in our index yet.