|default.tcl in Tkabber 1.1 does not validate strings before launching the program specified by the BROWSER environment variable, which might allow remote attackers to conduct argument-injection attacks via a crafted URL. NOTE: a third party has indicated that the attack cannot occur because of the argument-parsing behavior of the Tcl exec function
|CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Originally assigned for src:tkabber
TCL's exec call does not involve the shell. It does its own argument parsing
which safely forwards the content of any variable. No command injection is
thus possible. See https://tcl.tk/man/tcl/TclCmd/exec.htm
MITRE only considers this as DISPUTED rather than fully REJECT The CVE.