CVE-2019-16305

MobaXterm protocol handler on Windows is vulnerable to command injection.

An attacker can for example craft a web page containing a malicious link that once clicked will trigger a popup that will ask to the user if he/she wants to run MobaXterm to handle the link. If accepted, another popup will appear asking further confirmation, if also this one is accepted command execution is achieved.

MobaXterm://`calc`