CVE-2013-1436

EPSS 7.1%

code injection in xmonad-contrib

Published: 11/14/2025Modified: 4/28/2026

Also known as:DEBIAN-CVE-2013-1436HSEC-2023-0003

Description

The XMonad.Hooks.DynamicLog module in xmonad-contrib before 0.11.2 allows remote attackers to execute arbitrary commands via a web page title, which activates the commands when the user clicks on the xmobar window title, as demonstrated using an action tag.

Affected packages (2)

Debian/xmonad-contribfrom 0, < 0.11.2-1
Hackage/xmonad-contrib>= 0.5, < 0.11.2

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 2.0	—	AV:N/AC:L/Au:N/C:P/I:P/A:P

References (4)

ADVISORYhttps://security.gentoo.org/glsa/201405-28
ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2013-1436
PATCHhttps://github.com/xmonad/xmonad-contrib/commit/d3b2a01e3d01ac628e7a3139dd55becbfa37cf51
WEBhttp://www.openwall.com/lists/oss-security/2013/07/26/5