CVE-2018-1000523: Topydo Improper Input Validation vulnerability

September 13, 2018 (updated November 13, 2024)

topydo contains a CWE-20: Improper Input Validation vulnerability in ListFormatParser::parse, file topydo/lib/ListFormat.py line 292 as of d4f843dac71308b2f29a7c2cdc76f055c3841523 that can result in Injection of arbitrary bytes to the terminal, including terminal escape code sequences. This attack appear to be exploitable via The victim must open a todo.txt with at least one specially crafted line.

References

github.com/advisories/GHSA-h6h9-pphv-m266
github.com/bram85/topydo
github.com/bram85/topydo/blob/master/topydo/lib/ListFormat.py
github.com/bram85/topydo/issues/240
github.com/pypa/advisory-database/tree/main/vulns/topydo/PYSEC-2018-76.yaml
nvd.nist.gov/vuln/detail/CVE-2018-1000523

Detect and mitigate CVE-2018-1000523 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →