CVE-2016-10894 Information

Description

xtrlock through 2.10 does not block multitouch events. Consequently an attacker at a locked screen can send input to (and thus control) various programs such as Chromium via events such as pan scrolling \pinch and zoom\ gestures or even regular mouse clicks (by depressing the touchpad once and then clicking with a different finger).

CVSS Vector

CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Reference

https://bugs.debian.org/830726 https://lists.debian.org/debian-lts-announce/2019/10/msg00019.html

Attack Complexity

LOW

Privileges Required

NONE

User Interaction Required

NONE

Scope

NONE

Confidentiality Impact

UNCHANGED

Integrity Impact

NONE

Availability Impact

HIGH

Base Score

NONE

Base Severity

4.6