{"id":"HSEC-2023-0003","summary":"code injection in xmonad-contrib","details":"# code injection in *xmonad-contrib*\n\nThe `XMonad.Hooks.DynamicLog` module in _xmonad-contrib_ before\n**0.11.2** allows remote attackers to execute arbitrary commands via a\nweb page title, which activates the commands when the user clicks on\nthe xmobar window title, as demonstrated using an action tag.\n","aliases":["CVE-2013-1436"],"modified":"2025-11-17T05:14:39.412592Z","published":"2025-11-14T14:45:34Z","database_specific":{"repository":"https://github.com/haskell/security-advisories","osvs":"https://raw.githubusercontent.com/haskell/security-advisories/refs/heads/generated/osv-export","home":"https://github.com/haskell/security-advisories"},"references":[{"type":"ADVISORY","url":"https://security.gentoo.org/glsa/201405-28"},{"type":"DISCUSSION","url":"http://www.openwall.com/lists/oss-security/2013/07/26/5"},{"type":"FIX","url":"https://github.com/xmonad/xmonad-contrib/commit/d3b2a01e3d01ac628e7a3139dd55becbfa37cf51"}],"affected":[{"package":{"name":"xmonad-contrib","ecosystem":"Hackage","purl":"pkg:hackage/xmonad-contrib"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0.5"},{"fixed":"0.11.2"}]}],"versions":["0.10","0.11","0.11.1","0.5","0.6","0.7","0.8","0.8.1","0.9","0.9.1","0.9.2"],"database_specific":{"source":"https://github.com/haskell/security-advisories/blob/generated/osv-export/2023/HSEC-2023-0003.json","osv":"https://raw.githubusercontent.com/haskell/security-advisories/refs/heads/generated/osv-export/2023/HSEC-2023-0003.json","human_link":"https://github.com/haskell/security-advisories/tree/main/advisories/published/2023/HSEC-2023-0003.md"},"severity":[{"type":"CVSS_V2","score":"AV:N/AC:L/Au:N/C:P/I:P/A:P"}]}],"schema_version":"1.7.5"}