Summary: A security vulnerability (CVE-2025-3155) has been discovered in Yelp, a GNOME user help application on Ubuntu. The issue arises from how Yelp processes .page files with XInclude, allowing for potential script injection. This vulnerability enables attackers to exploit Yelp to steal sensitive files like the user’s SSH key.
Affected: Yelp (GNOME user help application on Ubuntu)
Keypoints :
- Vulnerability identified as CVE-2025-3155 affecting the “ghelp://” URI scheme handled by Yelp.
- XInclude processing allows for the embedding of external XML content in .page files, posing a security risk.
- Attackers can exploit the vulnerability to inject scripts via SVG tags, potentially stealing sensitive files from the victim’s system.