{"id":"PYSEC-2019-199","details":"A code injection issue was discovered in PyXDG before 0.26 via crafted Python code in a Category element of a Menu XML document in a .menu file. XDG_CONFIG_DIRS must be set up to trigger xdg.Menu.parse parsing within the directory containing this file. This is due to a lack of sanitization in xdg/Menu.py before an eval call.","aliases":["CVE-2019-12761","GHSA-r6v3-hpxj-r8rv","SNYK-PYTHON-PYXDG-174562"],"modified":"2023-11-08T04:01:06.312371Z","published":"2019-06-06T19:29:00Z","references":[{"type":"ADVISORY","url":"https://snyk.io/vuln/SNYK-PYTHON-PYXDG-174562"},{"type":"WEB","url":"https://gist.github.com/dhondta/b45cd41f4186110a354dc7272916feba"},{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2019/06/msg00006.html"},{"type":"ADVISORY","url":"https://github.com/advisories/GHSA-r6v3-hpxj-r8rv"}],"affected":[{"package":{"name":"pyxdg","ecosystem":"PyPI","purl":"pkg:pypi/pyxdg"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"0.26"}]}],"versions":["0.19","0.20","0.21","0.22","0.23","0.24","0.25"],"database_specific":{"source":"https://github.com/pypa/advisory-database/blob/main/vulns/pyxdg/PYSEC-2019-199.yaml"}}],"schema_version":"1.7.3"}