Vulnerability Spotlight: LibOFX Tag Parsing Code Execution Vulnerability

September 13, 2017 - 0 Comments

This vulnerability was discovered by Cory Duplantis of Talos

Update 9/20/2017: A patch is now available to fix this issue.


LibOFX is an open source implementation of OFX (Open Financial Exchange) an open format used by financial institutions to share financial data with clients. As an implementation of a complex standard, this library is used by financial software such as GnuCash. Talos has discovered an exploitable buffer overflow in the implementation: a specially crafted OFX file can cause a write out of bounds resulting in code execution. This vulnerability is not currently patched and Talos has not received a response from the developers within the period specified by the Vendor Vulnerability Reporting and Disclosure Policy.



In an effort to keep conversations fresh, Cisco Blogs closes comments after 60 days. Please visit the Cisco Blogs hub page for the latest content.