CVE-2013-7416 : canto_curses/guibase.py in Canto Curses before 0.9.0 allows remote feed servers

canto_curses/guibase.py in Canto Curses before 0.9.0 allows remote feed servers to execute arbitrary commands via shell metacharacters in a URL in a feed.

Published 2014-12-03 21:59:00

Updated 2025-04-12 10:46:41

Source MITRE

View at NVD, CVE.org

Products affected by CVE-2013-7416

Canto » Canto Curses » Update Alpha5
Versions up to, including, (<=) 0.9.0
cpe:2.3:a:canto:canto_curses:*:alpha5:*:*:*:*:*:*
Matching versions
Canto » Canto Curses » Version: 0.9.0 Update Alpha4
cpe:2.3:a:canto:canto_curses:0.9.0:alpha4:*:*:*:*:*:*
Matching versions
Canto » Canto Curses » Version: 0.8.4
cpe:2.3:a:canto:canto_curses:0.8.4:*:*:*:*:*:*:*
Matching versions
Canto » Canto Curses » Version: 0.9.0 Update Alpha3
cpe:2.3:a:canto:canto_curses:0.9.0:alpha3:*:*:*:*:*:*
Matching versions
Canto » Canto Curses » Version: 0.9.0 Update Alpha2
cpe:2.3:a:canto:canto_curses:0.9.0:alpha2:*:*:*:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2013-7416

EPSS FAQ

1.21%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 77 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2013-7416

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source	First Seen
7.5	HIGH	AV:N/AC:L/Au:N/C:P/I:P/A:P	10.0	6.4	NIST
Access Vector: Network Access Complexity: Low Authentication: None Confidentiality Impact: Partial Integrity Impact: Partial Availability Impact: Partial

CWE ids for CVE-2013-7416

CWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection')

The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2013-7416

http://seclists.org/oss-sec/2014/q4/832

oss-sec: Re: CVE request: Canto Feed URL Parsing Command Line Injection
Exploit
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=731582

#731582 - canto: command line injection in urls inside feeds - Debian Bug report logs
https://exchange.xforce.ibmcloud.com/vulnerabilities/98947

Canto URL feed command execution CVE-2013-7416 Vulnerability Report
http://seclists.org/oss-sec/2014/q4/826

oss-sec: CVE request: Canto Feed URL Parsing Command Line Injection
Exploit
http://www.securityfocus.com/bid/71323

Canto Curses CVE-2013-7416 Remote Command Injection Vulnerability
https://github.com/themoken/canto-curses/commit/2817869f98c54975f31e2dd674c1aefa70749cca

Proper URL quoting to avoid shell injection · themoken/canto-curses@2817869 · GitHub
Exploit

Jump to

Vulnerability Details : CVE-2013-7416

Products affected by CVE-2013-7416

Exploit prediction scoring system (EPSS) score for CVE-2013-7416

CVSS scores for CVE-2013-7416

CWE ids for CVE-2013-7416

References for CVE-2013-7416