Pidgin Security Advisory
| Title | MSN file download vulnerability |
|---|
| Date | 2010-01-08 |
|---|
| CVE Name | CVE-2010-0013 |
|---|
| Discovered By | Fabian Yamaguchi |
|---|
| Summary | A remote user can download arbitrary files from a libpurple-based client |
|---|
| Description | The MSN protocol plugin extracts the filename of a custom emoticon from an incoming request and uploads that file without correlating the filename to a valid custom emoticon. |
|---|
| Fixed in Revision | 7e381f84b894 |
|---|
| Fixed in Version | 2.6.5 |
|---|
| Fix | Validate the custom emoticon requested is valid before uploading its file data. |
|---|
Return to Security Advisory Index
