CVEブラウザに戻る

CVE-2017-16667

HIGH

7.8

CVSS Severity Score

EPSS Score0.1360%

EPSS Percentile11.80th

Published2017年11月8日

Last Modified2026年5月13日

Vulnerability Description

backintime (aka Back in Time) before 1.1.24 did improper escaping/quoting of file paths used as arguments to the 'notify-send' command, leading to some parts of file paths being executed as shell commands within an os.system call in qt4/plugins/notifyplugin.py. This could allow an attacker to craft an unreadable file with a specific name to run arbitrary shell commands.

Affected Platforms (CPE)

📦

Backintime Project

Backintime

< 1.1.24

References & Advisories

🔗 https://github.com/bit-team/backintime/commit/cef81d0da93ff601252607df3db1a48f7f6f01b3

🔗 https://github.com/bit-team/backintime/issues/834

🔗 https://github.com/bit-team/backintime/releases/tag/v1.1.24

🔗 https://security.gentoo.org/glsa/201801-06

🔗 https://github.com/bit-team/backintime/commit/cef81d0da93ff601252607df3db1a48f7f6f01b3

🔗 https://github.com/bit-team/backintime/issues/834

🔗 https://github.com/bit-team/backintime/releases/tag/v1.1.24

🔗 https://security.gentoo.org/glsa/201801-06

関連する脆弱性情報

CVE-2017-75728.1

The _checkPolkitPrivilege function in serviceHelper.py in Back In Time (aka backintime) 1.1.18 and earlier uses a deprecated polki...

CVE-2009-36117.1

common/snapshots.py in Back In Time (aka backintime) 0.9.26 changes certain permissions to 0777 before deleting the files in an ol...

CVE-2026-121917.8

A vulnerability was found in Comma AI Openpilot 0.11. This issue affects the function pickle.load/pickle.loads of the file selfdri...

CVE-2026-121905.3

A vulnerability has been found in Genspark AI Workspace App 2.8.4 on Android. This vulnerability affects unknown code of the compo...