Xfce
Products
7- 6 CVEs
- 3 CVEs
- 1 CVE
- 1 CVE
- 1 CVE
- 1 CVE
- 1 CVE
Recent CVEs
11| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2022-45062 | 0.00 | — | 0.01 | Nov 9, 2022 | In Xfce xfce4-settings before 4.16.4 and 4.17.x before 4.17.1, there is an argument injection vulnerability in xfce4-mime-helper. | |||
| CVE-2022-32278 | 0.00 | — | 0.02 | Jun 13, 2022 | XFCE 4.16 allows attackers to execute arbitrary code because xdg-open can execute a .desktop file on an attacker-controlled FTP server. | |||
| CVE-2021-32563 | 0.00 | — | 0.03 | May 11, 2021 | An issue was discovered in Thunar before 4.16.7 and 4.17.x before 4.17.2. When called with a regular file as a command-line argument, it delegates to a different program (based on the file type) without user confirmation. This could be used to achieve code execution. | |||
| CVE-2011-1588 | 0.00 | — | 0.01 | Nov 14, 2019 | Thunar before 1.3.1 could crash when copy and pasting a file name with % format characters due to a format string error. | |||
| CVE-2018-18398 | 0.00 | — | 0.00 | Oct 19, 2018 | Xfce Thunar 1.6.15, when Xfce 4.12 is used, mishandles the IBus-Unikey input method for file searches within File Manager, leading to an out-of-bounds read and SEGV. This could potentially be exploited by an arbitrary local user who creates files in /tmp before the victim uses… | |||
| CVE-2010-3900 | 0.00 | — | 0.01 | Oct 14, 2010 | Midori before 0.2.5, when WebKitGTK+ before 1.1.14 or LibSoup before 2.29.91 is used, does not verify X.509 certificates, which allows man-in-the-middle attackers to spoof arbitrary https web sites via a crafted server certificate, a related issue to CVE-2010-3312. | |||
| CVE-2009-4996 | 0.00 | — | 0.00 | Sep 7, 2010 | Xfce4-session 4.5.91 in Xfce does not lock the screen when the suspend or hibernate button is pressed, which might make it easier for physically proximate attackers to access an unattended laptop via a resume action, a related issue to CVE-2010-2532. NOTE: there is no general… | |||
| CVE-2007-6531 | 0.00 | — | 0.03 | Jan 9, 2008 | Stack-based buffer overflow in the Panel (xfce4-panel) component in Xfce before 4.4.2 might allow remote attackers to execute arbitrary code via Launcher tooltips. NOTE: a second buffer overflow (over-read) in the xfce_mkdirhier function was also reported, but it might not be… | |||
| CVE-2007-6532 | 0.00 | — | 0.04 | Jan 9, 2008 | Double free vulnerability in the Widget Library (libxfcegui4) in Xfce before 4.4.2 might allow remote attackers to execute arbitrary code via unknown vectors related to the "cliend id, program name and working directory in session management." | |||
| CVE-2007-3770 | 0.00 | — | 0.02 | Jul 15, 2007 | The terminal_helper_execute function in terminal/terminal.c in Xfce Terminal 0.2.6 allows user-assisted remote attackers to execute arbitrary commands via shell metacharacters in a crafted link, as demonstrated using the "Open Link" functionality. | |||
| CVE-2000-1060 | 0.00 | — | 0.00 | Dec 11, 2000 | The default configuration of XFCE 3.5.1 bypasses the Xauthority access control mechanism with an "xhost + localhost" command in the xinitrc program, which allows local users to sniff X Windows traffic and gain privileges. |
- CVE-2022-45062Nov 9, 2022risk 0.00cvss —epss 0.01
In Xfce xfce4-settings before 4.16.4 and 4.17.x before 4.17.1, there is an argument injection vulnerability in xfce4-mime-helper.
- CVE-2022-32278Jun 13, 2022risk 0.00cvss —epss 0.02
XFCE 4.16 allows attackers to execute arbitrary code because xdg-open can execute a .desktop file on an attacker-controlled FTP server.
- CVE-2021-32563May 11, 2021risk 0.00cvss —epss 0.03
An issue was discovered in Thunar before 4.16.7 and 4.17.x before 4.17.2. When called with a regular file as a command-line argument, it delegates to a different program (based on the file type) without user confirmation. This could be used to achieve code execution.
- CVE-2011-1588Nov 14, 2019risk 0.00cvss —epss 0.01
Thunar before 1.3.1 could crash when copy and pasting a file name with % format characters due to a format string error.
- CVE-2018-18398Oct 19, 2018risk 0.00cvss —epss 0.00
Xfce Thunar 1.6.15, when Xfce 4.12 is used, mishandles the IBus-Unikey input method for file searches within File Manager, leading to an out-of-bounds read and SEGV. This could potentially be exploited by an arbitrary local user who creates files in /tmp before the victim uses…
- CVE-2010-3900Oct 14, 2010risk 0.00cvss —epss 0.01
Midori before 0.2.5, when WebKitGTK+ before 1.1.14 or LibSoup before 2.29.91 is used, does not verify X.509 certificates, which allows man-in-the-middle attackers to spoof arbitrary https web sites via a crafted server certificate, a related issue to CVE-2010-3312.
- CVE-2009-4996Sep 7, 2010risk 0.00cvss —epss 0.00
Xfce4-session 4.5.91 in Xfce does not lock the screen when the suspend or hibernate button is pressed, which might make it easier for physically proximate attackers to access an unattended laptop via a resume action, a related issue to CVE-2010-2532. NOTE: there is no general…
- CVE-2007-6531Jan 9, 2008risk 0.00cvss —epss 0.03
Stack-based buffer overflow in the Panel (xfce4-panel) component in Xfce before 4.4.2 might allow remote attackers to execute arbitrary code via Launcher tooltips. NOTE: a second buffer overflow (over-read) in the xfce_mkdirhier function was also reported, but it might not be…
- CVE-2007-6532Jan 9, 2008risk 0.00cvss —epss 0.04
Double free vulnerability in the Widget Library (libxfcegui4) in Xfce before 4.4.2 might allow remote attackers to execute arbitrary code via unknown vectors related to the "cliend id, program name and working directory in session management."
- CVE-2007-3770Jul 15, 2007risk 0.00cvss —epss 0.02
The terminal_helper_execute function in terminal/terminal.c in Xfce Terminal 0.2.6 allows user-assisted remote attackers to execute arbitrary commands via shell metacharacters in a crafted link, as demonstrated using the "Open Link" functionality.
- CVE-2000-1060Dec 11, 2000risk 0.00cvss —epss 0.00
The default configuration of XFCE 3.5.1 bypasses the Xauthority access control mechanism with an "xhost + localhost" command in the xinitrc program, which allows local users to sniff X Windows traffic and gain privileges.