Pidgin Security Advisory

TitleMSN file download vulnerability
Date2010-01-08
CVE NameCVE-2010-0013
Discovered ByFabian Yamaguchi
SummaryA remote user can download arbitrary files from a libpurple-based client
DescriptionThe MSN protocol plugin extracts the filename of a custom emoticon from an incoming request and uploads that file without correlating the filename to a valid custom emoticon.
Fixed in Revision7e381f84b894
Fixed in Version2.6.5
FixValidate the custom emoticon requested is valid before uploading its file data.

Return to Security Advisory Index