CVE-2007-5396

Format string vulnerability in the ext_yahoo_contact_added function in yahoo.c in Miranda IM 0.7.1 allows remote attackers to execute arbitrary code via a Y7 Buddy Authorization packet with format string specifiers in the contact Yahoo! handle (who).

Weakness

The product uses a function that accepts a format string as an argument, but the format string originates from an external source.

Affected Software

Name	Vendor	Start Version	End Version
Miranda_im	Miranda-im	0.7.1 (including)	0.7.1 (including)

Potential Mitigations

https://cwe.mitre.org/data/definitions/135.html
https://cwe.mitre.org/data/definitions/67.html

References

http://miranda.svn.sourceforge.net/viewvc/miranda/trunk/miranda/protocols/Yahoo/yahoo.c?r1=6601\u0026r2=6699\u0026diff_format=l
http://secunia.com/advisories/27402
http://secunia.com/secunia_research/2007-89/advisory/
http://www.securityfocus.com/bid/26389
http://www.vupen.com/english/advisories/2007/3823
https://exchange.xforce.ibmcloud.com/vulnerabilities/38362
http://miranda.svn.sourceforge.net/viewvc/miranda/trunk/miranda/protocols/Yahoo/yahoo.c?r1=6601\u0026r2=6699\u0026diff_format=l
http://secunia.com/advisories/27402
http://secunia.com/secunia_research/2007-89/advisory/
http://www.securityfocus.com/bid/26389
http://www.vupen.com/english/advisories/2007/3823
https://exchange.xforce.ibmcloud.com/vulnerabilities/38362

NVD	https://nvd.nist.gov/vuln/detail/CVE-2007-5396
CWE	https://cwe.mitre.org/data/definitions/134.html

Use of Externally-Controlled Format String

Weakness

Affected Software

Potential Mitigations

Related Attack Patterns

References