Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2021-27229: FIX(client): Only allow "http"/"https" for URLs in ConnectDialog · mumble-voip/mumble@e59ee87

Mumble before 1.3.4 allows remote code execution if a victim navigates to a crafted URL on a server list and clicks on the Open Webpage text.

CVE
#vulnerability#web#mac#rce

Permalink

Browse files

FIX(client): Only allow “http"/"https” for URLs in ConnectDialog

Our public server list registration script doesn’t have an URL scheme whitelist for the website field.

Turns out a malicious server can register itself with a dangerous URL in an attempt to attack a user’s machine.

User interaction is required, as the URL has to be opened by right-clicking on the server entry and clicking on "Open Webpage".

This commit introduces a client-side whitelist, which only allows “http” and “https” schemes. We will also implement it in our public list.

In future we should probably add a warning QMessageBox informing the user that there’s no guarantee the URL is safe (regardless of the scheme).

Thanks a lot to https://positive.security for reporting the RCE vulnerability to us privately.

  • Loading branch information

Showing with 17 additions and 3 deletions.

  1. +17 −3 src/mumble/ConnectDialog.cpp

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907