ID CVE-2007-0242
Summary The UTF-8 decoder in codecs/qutfcodec.cpp in Qt 3.3.8 and 4.2.3 does not reject long UTF-8 sequences as required by the standard, which allows remote attackers to conduct cross-site scripting (XSS) and directory traversal attacks via long sequences that decode to dangerous metacharacters.
References
Vulnerable Configurations
  • cpe:2.3:a:qt:qt:3.3.8
    cpe:2.3:a:qt:qt:3.3.8
  • cpe:2.3:a:qt:qt:4.2.3
    cpe:2.3:a:qt:qt:4.2.3
CVSS
Base: 4.3 (as of 04-04-2007 - 16:07)
Impact:
Exploitability:
Access
VectorComplexityAuthentication
NETWORK MEDIUM NONE
Impact
ConfidentialityIntegrityAvailability
NONE PARTIAL NONE
nessus via4
  • NASL family Mandriva Local Security Checks
    NASL id MANDRAKE_MDKSA-2007-075.NASL
    description Andreas Nolden discover a bug in qt4, where the UTF8 decoder does not reject overlong sequences, which can cause '/../' injection or (in the case of konqueror) a '