We use these services and cookies to improve your user experience. You may opt out if you wish, however, this may limit some features on this site.
Please see our statement on Data Privacy.
xdg-open in xdg-utils through 1.2.1 can send requests containing SameSite=Strict cookies, which can facilitate CSRF. (For example, xdg-open could be modified to, by default, associate x-scheme-handler/https with the execution of a browser with command-line options that arrange for an empty cookie store, although this would add substantial complexity, and would not be considered a desirable or expected behavior by all users.) NOTE: this is disputed because integrations of xdg-open typically do not provide information about whether the xdg-open command and arguments were manually entered by a user, or whether they were the result of a navigation from content in an untrusted origin.
Reserved 2025-06-23 | Published 2025-06-23 | Updated 2025-06-23 | Assigner mitreCWE-420 Unprotected Alternate Channel
cgit.freedesktop.org/xdg/xdg-utils/tag/?h=v1.2.1
www.openwall.com/lists/oss-security/2025/06/23/1
Support options
