CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2023-27985
https://notcve.org/view.php?id=CVE-2023-27985
09 Mar 2023 — emacsclient-mail.desktop in Emacs 28.1 through 28.2 is vulnerable to shell command injections through a crafted mailto: URI. This is related to lack of compliance with the Desktop Entry Specification. It is fixed in 29.0.90 • http://git.savannah.gnu.org/cgit/emacs.git/commit/?h=emacs-29&id=d32091199ae5de590a83f1542a01d75fba000467 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2023-27986
https://notcve.org/view.php?id=CVE-2023-27986
09 Mar 2023 — emacsclient-mail.desktop in Emacs 28.1 through 28.2 is vulnerable to Emacs Lisp code injections through a crafted mailto: URI with unescaped double-quote characters. It is fixed in 29.0.90. • http://git.savannah.gnu.org/cgit/emacs.git/commit/?h=emacs-29&id=3c1693d08b0a71d40a77e7b40c0ebc42dca2d2cc • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 10.0EPSS: 0%CPEs: 2EXPL: 0CVE-2022-48337 – emacs: command execution via shell metacharacters
https://notcve.org/view.php?id=CVE-2022-48337
20 Feb 2023 — GNU Emacs through 28.2 allows attackers to execute commands via shell metacharacters in the name of a source-code file, because lib-src/etags.c uses the system C library function in its implementation of the etags program. For example, a victim may use the "etags -u *" command (suggested in the etags documentation) in a situation where the current working directory has contents that depend on untrusted input. A flaw was found in the Emacs package. This flaw allows attackers to execute commands via shell met... • https://git.savannah.gnu.org/cgit/emacs.git/commit/?id=01a4035c869b91c153af9a9132c87adb7669ea1c • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 7.3EPSS: 0%CPEs: 1EXPL: 0CVE-2022-48338 – emacs: local command injection in ruby-mode.el
https://notcve.org/view.php?id=CVE-2022-48338
20 Feb 2023 — An issue was discovered in GNU Emacs through 28.2. In ruby-mode.el, the ruby-find-library-file function has a local command injection vulnerability. The ruby-find-library-file function is an interactive function, and bound to C-c C-f. Inside the function, the external command gem is called through shell-command-to-string, but the feature-name parameters are not escaped. Thus, malicious Ruby source files may cause commands to be executed. • https://git.savannah.gnu.org/cgit/emacs.git/commit/?id=9a3b08061feea14d6f37685ca1ab8801758bfd1c • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2022-48339 – emacs: command injection vulnerability in htmlfontify.el
https://notcve.org/view.php?id=CVE-2022-48339
20 Feb 2023 — An issue was discovered in GNU Emacs through 28.2. htmlfontify.el has a command injection vulnerability. In the hfy-istext-command function, the parameter file and parameter srcdir come from external input, and parameters are not escaped. If a file name or directory name contains shell metacharacters, code may be executed. A flaw was found in the Emacs package. If a file name or directory name contains shell metacharacters, arbitrary code may be executed. • https://git.savannah.gnu.org/cgit/emacs.git/commit/?id=1b4dc4691c1f87fc970fbe568b43869a15ad0d4c • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') CWE-116: Improper Encoding or Escaping of Output CWE-1116: Inaccurate Comments •
CVSS: 7.8EPSS: 0%CPEs: 5EXPL: 0CVE-2022-45939 – emacs: ctags local command execution vulnerability
https://notcve.org/view.php?id=CVE-2022-45939
28 Nov 2022 — GNU Emacs through 28.2 allows attackers to execute commands via shell metacharacters in the name of a source-code file, because lib-src/etags.c uses the system C library function in its implementation of the ctags program. For example, a victim may use the "ctags *" command (suggested in the ctags documentation) in a situation where the current working directory has contents that depend on untrusted input. GNU Emacs hasta la versión 28.2 permite a los atacantes ejecutar comandos a través de metacaracteres d... • https://git.savannah.gnu.org/cgit/emacs.git/commit/?id=d48bb4874bc6cd3e69c7a15fc3c91cc141025c51 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •