https://bugzilla.suse.com/show_bug.cgi?id=1227393 Bug ID: 1227393 Summary: VUL-0: CVE-2024-39844: znc: arbitrary code embedded into the kick reason executed while kicking someone on a channel Classification: openSUSE Product: openSUSE Distribution Version: Leap 15.6 Hardware: Other URL: https://smash.suse.de/issue/412810/ OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Security Assignee: mpluskal@suse.com Reporter: smash_bz@suse.de QA Contact: security-team@suse.de CC: camila.matos@suse.com Target Milestone: --- Found By: Security Response Team Blocker: --- In ZNC before 1.9.1, remote code execution can occur in modtcl via a KICK. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-39844 https://seclists.org/oss-sec/2024/q3/23 https://github.com/znc/znc/commit/8cbf8d628174ddf23da680f3f117dc54da0eb06e https://www.cve.org/CVERecord?id=CVE-2024-39844 https://github.com/znc/znc/releases/tag/znc-1.9.1 https://wiki.znc.in/Category:ChangeLog https://wiki.znc.in/ChangeLog/1.9.1 http://www.openwall.com/lists/oss-security/2024/07/03/9 -- You are receiving this mail because: You are on the CC list for the bug.