Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

ubuntu логотип

CVE-2018-10992

Опубликовано: 11 мая 2018
Источник: ubuntu
Приоритет: medium
EPSS Низкий
CVSS2: 7.5
CVSS3: 9.8

Описание

lilypond-invoke-editor in LilyPond 2.19.80 does not validate strings before launching the program specified by the BROWSER environment variable, which allows remote attackers to conduct argument-injection attacks via a crafted URL, as demonstrated by a --proxy-pac-file argument, because the GNU Guile code uses the system Scheme procedure instead of the system* Scheme procedure. NOTE: this vulnerability exists because of an incomplete fix for CVE-2017-17523.

РелизСтатусПримечание
artful

ignored

end of life
bionic

ignored

end of standard support, was needed
cosmic

not-affected

2.19.81+really-2.18.2-13
devel

not-affected

2.19.81+really-2.18.2-13
disco

not-affected

2.19.81+really-2.18.2-13
eoan

not-affected

2.19.81+really-2.18.2-13
esm-apps/bionic

needed

esm-apps/focal

not-affected

2.19.81+really-2.18.2-13
esm-apps/jammy

not-affected

2.19.81+really-2.18.2-13
esm-apps/noble

not-affected

2.19.81+really-2.18.2-13

Показывать по

Ссылки на источники

EPSS

Процентиль: 72%
0.00729
Низкий

7.5 High

CVSS2

9.8 Critical

CVSS3

Связанные уязвимости

nvd логотип

CVE-2018-10992

CVSS3: 9.8
nvd
больше 7 лет назад

lilypond-invoke-editor in LilyPond 2.19.80 does not validate strings before launching the program specified by the BROWSER environment variable, which allows remote attackers to conduct argument-injection attacks via a crafted URL, as demonstrated by a --proxy-pac-file argument, because the GNU Guile code uses the system Scheme procedure instead of the system* Scheme procedure. NOTE: this vulnerability exists because of an incomplete fix for CVE-2017-17523.

debian логотип

CVE-2018-10992

CVSS3: 9.8
debian
больше 7 лет назад

lilypond-invoke-editor in LilyPond 2.19.80 does not validate strings b ...

suse-cvrf логотип

openSUSE-SU-2018:1360-1

suse-cvrf
больше 7 лет назад

Security update for lilypond

github логотип

GHSA-62j8-9w4c-7rfw

CVSS3: 9.8
github
больше 3 лет назад

lilypond-invoke-editor in LilyPond 2.19.80 does not validate strings before launching the program specified by the BROWSER environment variable, which allows remote attackers to conduct argument-injection attacks via a crafted URL, as demonstrated by a --proxy-pac-file argument, because the GNU Guile code uses the system Scheme procedure instead of the system* Scheme procedure. NOTE: this vulnerability exists because of an incomplete fix for CVE-2017-17523.

EPSS

Процентиль: 72%
0.00729
Низкий

7.5 High

CVSS2

9.8 Critical

CVSS3