CVSS: 7.2EPSS: 0%CPEs: 23EXPL: 0CVE-2024-30203 – emacs: Gnus treats inline MIME contents as trusted
https://notcve.org/view.php?id=CVE-2024-30203
25 Mar 2024 — In Emacs before 29.3, Gnus treats inline MIME contents as trusted. En Emacs anterior a 29.3, Gnus trata el contenido MIME en línea como confiable. A flaw was found in Emacs. When Emacs is used as an email client, inline MIME attachments are considered to be trusted by default, allowing a crafted LaTeX document to exhaust the disk space or the inodes allocated for the partition where the /tmp directory is located. This issue possibly results in a denial of service. • http://www.openwall.com/lists/oss-security/2024/03/25/2 • CWE-349: Acceptance of Extraneous Untrusted Data With Trusted Data •
CVSS: 7.8EPSS: 0%CPEs: 22EXPL: 0CVE-2024-30205 – emacs: Org mode considers contents of remote files to be trusted
https://notcve.org/view.php?id=CVE-2024-30205
25 Mar 2024 — In Emacs before 29.3, Org mode considers contents of remote files to be trusted. This affects Org Mode before 9.6.23. En Emacs anterior a 29.3, el modo Org considera que el contenido de los archivos remotos es confiable. Esto afecta al modo de organización anterior a la versión 9.6.23. A flaw was found in Emacs. • http://www.openwall.com/lists/oss-security/2024/03/25/2 • CWE-349: Acceptance of Extraneous Untrusted Data With Trusted Data CWE-494: Download of Code Without Integrity Check •
CVSS: 7.8EPSS: 0%CPEs: 6EXPL: 0CVE-2024-30202 – Gentoo Linux Security Advisory 202407-08
https://notcve.org/view.php?id=CVE-2024-30202
25 Mar 2024 — In Emacs before 29.3, arbitrary Lisp code is evaluated as part of turning on Org mode. This affects Org Mode before 9.6.23. En Emacs anterior a 29.3, el código Lisp arbitrario se evalúa como parte de activar el modo Org. Esto afecta al modo de organización anterior a la versión 9.6.23. It was discovered that Org Mode did not correctly handle filenames containing shell metacharacters. • http://www.openwall.com/lists/oss-security/2024/03/25/2 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 7.2EPSS: 0%CPEs: 21EXPL: 0CVE-2024-30204 – emacs: LaTeX preview is enabled by default for e-mail attachments
https://notcve.org/view.php?id=CVE-2024-30204
25 Mar 2024 — In Emacs before 29.3, LaTeX preview is enabled by default for e-mail attachments. En Emacs anterior a 29.3, la vista previa de LaTeX está habilitada de forma predeterminada para los archivos adjuntos de correo electrónico. A flaw was found in Emacs. When Emacs is used as an email client, a preview of a crafted LaTeX document attached to an email can exhaust the disk space or the inodes allocated for the partition where the /tmp directory is located. This issue possibly results in a denial of service. • http://www.openwall.com/lists/oss-security/2024/03/25/2 • CWE-276: Incorrect Default Permissions CWE-349: Acceptance of Extraneous Untrusted Data With Trusted Data •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2023-28617 – emacs: command injection vulnerability in org-mode
https://notcve.org/view.php?id=CVE-2023-28617
19 Mar 2023 — org-babel-execute:latex in ob-latex.el in Org Mode through 9.6.1 for GNU Emacs allows attackers to execute arbitrary commands via a file name or directory name that contains shell metacharacters. A flaw was found in the Emacs text editor. Processing a specially crafted org-mode code with the function org-babel-execute:latex in ob-latex.el can result in arbitrary command execution. It was discovered that Org Mode did not correctly handle filenames containing shell metacharacters. An attacker could possibly u... • https://git.savannah.gnu.org/cgit/emacs/org-mode.git/commit/?id=8f8ec2ccf3f5ef8f38d68ec84a7e4739c45db485 • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •