The XMonad.Hooks.DynamicLog module in xmonad-contrib before 0.11.2 allows remote attackers to execute arbitrary commands via a web page title, which activates the commands when the user clicks on the xmobar window title, as demonstrated using an action tag.
Gentoo Linux Security Advisory 201405-28 - A remote command injection vulnerability has been discovered in xmonad-contrib. Versions less than 0.11.2 are affected.