XfceCVEs & Vulnerabilities

8 CVEs affecting Xfce products, tracked from the National Vulnerability Database, with CVSS/EPSS scores and exploitation status.

Most Affected Products

thunar 4xfce 4xfce4-settings 2exo 1
CVE-2022-45062CRITICAL

In Xfce xfce4-settings before 4.16.4 and 4.17.x before 4.17.1, there is an argument injection vulnerability in xfce4-mime-helper.

9 Nov 2022
9.8
CVSS
CVE-2022-32278HIGH

XFCE 4.16 allows attackers to execute arbitrary code because xdg-open can execute a .desktop file on an attacker-controlled FTP server.

14 Jun 2022
8.8
CVSS
CVE-2021-32563CRITICAL

An issue was discovered in Thunar before 4.16.7 and 4.17.x before 4.17.2. When called with a regular file as a command-line argument, it delegates to a different program (based on the file type) without user confirmation. This could be used to achieve code execution.

11 May 2021
9.8
CVSS
CVE-2011-1588HIGH

Thunar before 1.3.1 could crash when copy and pasting a file name with % format characters due to a format string error.

14 Nov 2019
7.8
CVSS
CVE-2018-18398MEDIUM

Xfce Thunar 1.6.15, when Xfce 4.12 is used, mishandles the IBus-Unikey input method for file searches within File Manager, leading to an out-of-bounds read and SEGV. This could potentially be exploited by an arbitrary local user who creates files in /tmp before the victim uses this input method.

20 Oct 2018
4.7
CVSS
CVE-2009-4996HIGH

Xfce4-session 4.5.91 in Xfce does not lock the screen when the suspend or hibernate button is pressed, which might make it easier for physically proximate attackers to access an unattended laptop via a resume action, a related issue to CVE-2010-2532. NOTE: there is no general agreement that this is a vulnerability, because separate control over locking can be an equally secure, or more secure, behavior in some threat environments

7 Sep 2010
7.2
CVSS
CVE-2007-6531MEDIUM

Stack-based buffer overflow in the Panel (xfce4-panel) component in Xfce before 4.4.2 might allow remote attackers to execute arbitrary code via Launcher tooltips. NOTE: a second buffer overflow (over-read) in the xfce_mkdirhier function was also reported, but it might not be exploitable for a crash or code execution, so it is not a vulnerability.

10 Jan 2008
5.0
CVSS
CVE-2007-6532CRITICAL

Double free vulnerability in the Widget Library (libxfcegui4) in Xfce before 4.4.2 might allow remote attackers to execute arbitrary code via unknown vectors related to the "cliend id, program name and working directory in session management."

10 Jan 2008
10.0
CVSS
← PrevPage 1 / 1Next →