{ "affected": [ { "ecosystem_specific": { "urgency": "unimportant" }, "package": { "ecosystem": "Debian:11", "name": "xdg-utils" }, "ranges": [ { "events": [ { "introduced": "0" } ], "type": "ECOSYSTEM" } ] }, { "ecosystem_specific": { "urgency": "unimportant" }, "package": { "ecosystem": "Debian:12", "name": "xdg-utils" }, "ranges": [ { "events": [ { "introduced": "0" } ], "type": "ECOSYSTEM" } ] }, { "ecosystem_specific": { "urgency": "unimportant" }, "package": { "ecosystem": "Debian:13", "name": "xdg-utils" }, "ranges": [ { "events": [ { "introduced": "0" } ], "type": "ECOSYSTEM" } ] }, { "ecosystem_specific": { "urgency": "unimportant" }, "package": { "ecosystem": "Debian:14", "name": "xdg-utils" }, "ranges": [ { "events": [ { "introduced": "0" } ], "type": "ECOSYSTEM" } ] } ], "details": "xdg-open in xdg-utils through 1.2.1 can send requests containing SameSite=Strict cookies, which can facilitate CSRF. (For example, xdg-open could be modified to, by default, associate x-scheme-handler/https with the execution of a browser with command-line options that arrange for an empty cookie store, although this would add substantial complexity, and would not be considered a desirable or expected behavior by all users.) NOTE: this is disputed because integrations of xdg-open typically do not provide information about whether the xdg-open command and arguments were manually entered by a user, or whether they were the result of a navigation from content in an untrusted origin.", "id": "DEBIAN-CVE-2025-52968", "modified": "2026-04-28T19:53:21.704339401Z", "published": "2025-06-23T15:15:29.350Z", "references": [ { "type": "ADVISORY", "url": "https://security-tracker.debian.org/tracker/CVE-2025-52968" } ], "severity": [ { "score": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:C/C:L/I:N/A:N", "type": "CVSS_V3" } ], "upstream": [ "CVE-2025-52968" ] }