An issue was discovered in Thunar before 4.16.7 and 4.17.x before 4.17.2. When called with a regular file as a command-line argument, it delegates to a different program (based on the file type) without user confirmation. This could be used to achieve code execution.
The product does not properly restrict reading from or writing to dynamically-managed code resources such as variables, objects, classes, attributes, functions, or executable instructions or statements.
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Thunar | Xfce | * | 4.16.7 (excluding) |
| Thunar | Xfce | 4.17.0 (including) | 4.17.2 (excluding) |
| Thunar | Ubuntu | bionic | * |
| Thunar | Ubuntu | groovy | * |
| Thunar | Ubuntu | hirsute | * |
| Thunar | Ubuntu | trusty | * |
| Thunar | Ubuntu | upstream | * |
| Thunar | Ubuntu | xenial | * |