{"id":"CVE-2017-12904","details":"Improper Neutralization of Special Elements used in an OS Command in bookmarking function of Newsbeuter versions 0.7 through 2.9 allows remote attackers to perform user-assisted code execution by crafting an RSS item that includes shell code in its title and/or URL.","modified":"2026-04-11T04:14:21.971051Z","published":"2017-08-23T14:29:00.393Z","references":[{"type":"WEB","url":"https://groups.google.com/forum/#%21topic/newsbeuter/iFqSE7Vz-DE"},{"type":"WEB","url":"https://usn.ubuntu.com/4585-1/"},{"type":"ADVISORY","url":"http://www.debian.org/security/2017/dsa-3947"},{"type":"REPORT","url":"https://github.com/akrennmair/newsbeuter/issues/591"},{"type":"FIX","url":"https://github.com/akrennmair/newsbeuter/commit/96e9506ae9e252c548665152d1b8968297128307"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/akrennmair/newsbeuter","events":[{"introduced":"0"},{"last_affected":"277c4a033f4d8d56aa564f6da25662692fc137d3"},{"introduced":"0"},{"last_affected":"4865e6654586ddf51aaf743e940d0c7bb088b3d2"},{"introduced":"0"},{"last_affected":"47ead54bf2e0dd4fd3f29dfb94fb05d95f941ce2"},{"introduced":"0"},{"last_affected":"23e85563585d0e4c5ef2774d2f2f0c893b951c20"},{"introduced":"0"},{"last_affected":"1a42ef8f8db3e4ce872504b9e92e802f03ed52f4"},{"introduced":"0"},{"last_affected":"12034ce711cea811e1a7df003cf301bcfc0d3e6b"},{"introduced":"0"},{"last_affected":"46bf71384211aee2fafe9e435fb7b72641414cb4"},{"introduced":"0"},{"last_affected":"9046a2b1596d9a284f10864388b5424d59dfa6d4"},{"introduced":"0"},{"last_affected":"52ed8907d0c3cba22aed84ae4a31d090d0fbf746"},{"introduced":"0"},{"last_affected":"4a447917f7c8b33ef3aae8cd221c47dbdb1c3246"},{"introduced":"0"},{"last_affected":"3e052f72797359e3f39c0065912f1611ad088085"},{"introduced":"0"},{"last_affected":"2970498501bbffeaa00120fee041e4a2620029d7"},{"introduced":"0"},{"last_affected":"99ee8f03c64b26b1deafaa10345982d917c8bdd1"},{"introduced":"0"},{"last_affected":"f9764f0ac59372876b41166cf085dce4f5e6f83e"},{"introduced":"0"},{"last_affected":"b90782df7846f4279c1ed55d6d57e6d4f37fc94b"},{"introduced":"0"},{"last_affected":"6548dd953f4067e663c43d306110d9bba8525760"},{"introduced":"0"},{"last_affected":"799389f6a4d9336da46b948a6c2d86d50fdbc8ab"},{"introduced":"0"},{"last_affected":"fe0d8362626054a506e8e9c9819e2fe1623807db"},{"introduced":"0"},{"last_affected":"8df68f426ca4360fcced0edf8fb48cd6088f0e90"},{"introduced":"0"},{"last_affected":"969fcb163d541fa26f4600c6ae0bfe3d36309823"},{"fixed":"96e9506ae9e252c548665152d1b8968297128307"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"0.7"},{"introduced":"0"},{"last_affected":"0.8"},{"introduced":"0"},{"last_affected":"0.8.1"},{"introduced":"0"},{"last_affected":"0.8.2"},{"introduced":"0"},{"last_affected":"0.9"},{"introduced":"0"},{"last_affected":"0.9.1"},{"introduced":"0"},{"last_affected":"1.0"},{"introduced":"0"},{"last_affected":"1.1"},{"introduced":"0"},{"last_affected":"1.2"},{"introduced":"0"},{"last_affected":"1.3"},{"introduced":"0"},{"last_affected":"2.0"},{"introduced":"0"},{"last_affected":"2.1"},{"introduced":"0"},{"last_affected":"2.2"},{"introduced":"0"},{"last_affected":"2.3"},{"introduced":"0"},{"last_affected":"2.4"},{"introduced":"0"},{"last_affected":"2.5"},{"introduced":"0"},{"last_affected":"2.6"},{"introduced":"0"},{"last_affected":"2.7"},{"introduced":"0"},{"last_affected":"2.8"},{"introduced":"0"},{"last_affected":"2.9"}]}}],"versions":["newsbeuter-0.7","newsbeuter-0.8","newsbeuter-0.8.1","newsbeuter-0.8.2","newsbeuter-0.9","newsbeuter-0.9.1","newsbeuter-1.0","newsbeuter-1.1","newsbeuter-1.2","newsbeuter-1.3","r2.0","r2.1","r2.2","r2.3","r2.4","r2.5","r2.6","r2.7","r2.8","r2.9"],"database_specific":{"unresolved_ranges":[{"events":[{"introduced":"0"},{"last_affected":"7.0"}]},{"events":[{"introduced":"0"},{"last_affected":"8.0"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0"}]}],"vanir_signatures_modified":"2026-04-11T04:14:21Z","source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2017-12904.json","vanir_signatures":[{"id":"CVE-2017-12904-80defa35","signature_type":"Function","target":{"function":"controller::bookmark","file":"src/controller.cpp"},"digest":{"function_hash":"156371956141367904438567274571704191043","length":1137},"deprecated":false,"source":"https://github.com/akrennmair/newsbeuter/commit/96e9506ae9e252c548665152d1b8968297128307","signature_version":"v1"},{"id":"CVE-2017-12904-a213a0e6","signature_type":"Line","target":{"file":"src/controller.cpp"},"digest":{"threshold":0.9,"line_hashes":["311467814947250909956345134156606465782","120649832345985744059501555645473888522","291634685458980627202111577571935776043","69626142850719159396634039256131327469","108602646767993423147163902786916057536","98085112480429494262981916468034871801","92970788905403075723020112092901087587","252124518186464253228361430297539845061","254514588870447734634416090126986229927"]},"deprecated":false,"source":"https://github.com/akrennmair/newsbeuter/commit/96e9506ae9e252c548665152d1b8968297128307","signature_version":"v1"}]}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}]}