4 results (0.009 seconds)

CVSS: 9.8EPSS: 1%CPEs: 4EXPL: 0

The rxvt-unicode package is vulnerable to a remote code execution, in the Perl background extension, when an attacker can control the data written to the user's terminal and certain options are set. El paquete rxvt-unicode es vulnerable a la ejecución remota de código, en la extensión en segundo plano de Perl, cuando un atacante puede controlar los datos escritos en el terminal del usuario y se configuran ciertas opciones. • https://bugzilla.redhat.com/show_bug.cgi?id=2151597 https://security.gentoo.org/glsa/202310-20 https://www.openwall.com/lists/oss-security/2022/12/05/1 • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') •

CVSS: 8.8EPSS: 1%CPEs: 7EXPL: 2

rxvt-unicode 9.22, rxvt 2.7.10, mrxvt 0.5.4, and Eterm 0.9.7 allow (potentially remote) code execution because of improper handling of certain escape sequences (ESC G Q). A response is terminated by a newline. rxvt-unicode versión 9.22, rxvt versión 2.7.10, mrxvt versión 0.5.4 y Eterm versión 0.9.7 permiten una ejecución de código (potencialmente remoto) debido al manejo inapropiado de determinadas secuencias de escape (ESC GQ). Una respuesta es terminada con una nueva línea • http://cvs.schmorp.de/rxvt-unicode/Changes?view=log http://cvs.schmorp.de/rxvt-unicode/src/command.C?r1=1.582&r2=1.583 https://git.enlightenment.org/apps/eterm.git/log https://lists.debian.org/debian-lts-announce/2021/05/msg00026.html https://lists.debian.org/debian-lts-announce/2021/06/msg00010.html https://lists.debian.org/debian-lts-announce/2021/06/msg00011.html https://lists.debian.org/debian-lts-announce/2021/06/msg00012.html https://lists.fedoraproject.org/archive • CWE-755: Improper Handling of Exceptional Conditions •

CVSS: 3.7EPSS: 0%CPEs: 118EXPL: 0

rxvt 2.6.4 opens a terminal window on :0 if the DISPLAY environment variable is not set, which might allow local users to hijack X11 connections. NOTE: it was later reported that rxvt-unicode, mrxvt, aterm, multi-aterm, and wterm are also affected. NOTE: realistic attack scenarios require that the victim enters a command on the wrong machine. Rxvt versión 2.6.4 abre una ventana terminal en :0 si no se establece la variable de entorno DISPLAY, lo que podría permitir a los usuarios locales secuestrar conexiones X11. NOTA: más tarde se informó que rxvt-unicode, mrxvt, aterm, multi-aterm y wterm también se ven afectados. • http://article.gmane.org/gmane.comp.security.oss.general/122 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=469296 http://lists.opensuse.org/opensuse-security-announce/2008-08/msg00006.html http://secunia.com/advisories/29576 http://secunia.com/advisories/30224 http://secunia.com/advisories/30225 http://secunia.com/advisories/30226 http://secunia.com/advisories/30227 http://secunia.com/advisories/30229 http://secunia.com/advisories/31687 http://security.gentoo.org/glsa/glsa • CWE-264: Permissions, Privileges, and Access Controls •

CVSS: 4.6EPSS: 0%CPEs: 1EXPL: 0

rxvt-unicode before 6.3, on certain platforms that use openpty and non-Unix pty devices such as Linux and most BSD platforms, does not maintain the intended permissions of tty devices, which allows local users to gain read and write access to the devices. • http://dist.schmorp.de/rxvt-unicode/Changes http://secunia.com/advisories/18301 http://www.osvdb.org/22223 http://www.vupen.com/english/advisories/2006/0052 •