A vulnerability has been discovered in xfce4-settings which could result in universal cross site scripting ("uXSS").
|Package||xfce-base/xfce4-settings on all architectures|
|Affected versions||< 4.17.1|
|Unaffected versions||>= 4.17.1|
xfce4-settings contains the configuration system for the Xfce desktop environment.
xfce4-settings does not sufficiently sanitize URLs opened via xdg4-mime-helper-tool (which is called when a user clicks a link in e.g. Firefox).
The vulnerability can be leveraged into 1-click universal cross site scripting in some browsers, or potentially other unspecified impact.
There is no known workaround at this time.
All xfce4-settings users should upgrade to the latest version:
# emerge --sync # emerge --ask --oneshot --verbose ">=xfce-base/xfce4-settings-4.17.1"
May 03, 2023
May 03, 2023: 1