Description An exploitable remote code execution vulnerability exists in Pidgin's implementation of file:// URL handling. An attacker can supply a remote path which will be evaluated by ShellExecute and can be leveraged to execute arbitrary code. While the operating system (e.g., Windows) blocks execution of several file formats and provides a prompt to the user asking for permission, this can be bypassed by specifying alternate file types and we have achieved code execution using .jar files.  

Tested Versions Pidgin 2.10.7

Coverage SIDs 28089 and 28090