vulnerability
SUSE: CVE-2018-10992: SUSE Linux Security Advisory
| Severity | CVSS | Published | Added | Modified |
|---|---|---|---|---|
| 8 | (AV:N/AC:L/Au:N/C:P/I:P/A:P) | May 11, 2018 | May 22, 2018 | May 7, 2019 |
Severity
8
CVSS
(AV:N/AC:L/Au:N/C:P/I:P/A:P)
Published
May 11, 2018
Added
May 22, 2018
Modified
May 7, 2019
Description
lilypond-invoke-editor in LilyPond 2.19.80 does not validate strings before launching the program specified by the BROWSER environment variable, which allows remote attackers to conduct argument-injection attacks via a crafted URL, as demonstrated by a --proxy-pac-file argument, because the GNU Guile code uses the system Scheme procedure instead of the system* Scheme procedure. NOTE: this vulnerability exists because of an incomplete fix for CVE-2017-17523.
Solution(s)
suse-upgrade-lilypondsuse-upgrade-lilypond-century-schoolbook-l-fontssuse-upgrade-lilypond-debuginfosuse-upgrade-lilypond-debugsourcesuse-upgrade-lilypond-docsuse-upgrade-lilypond-doc-cssuse-upgrade-lilypond-doc-desuse-upgrade-lilypond-doc-essuse-upgrade-lilypond-doc-frsuse-upgrade-lilypond-doc-hususe-upgrade-lilypond-doc-itsuse-upgrade-lilypond-doc-jasuse-upgrade-lilypond-doc-nlsuse-upgrade-lilypond-doc-zhsuse-upgrade-lilypond-emmentaler-fontssuse-upgrade-lilypond-fonts-common
References
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.