5 results (0.004 seconds)

CVSS: 7.6EPSS: 1%CPEs: 17EXPL: 0

rxvt-unicode before 9.20 does not properly handle OSC escape sequences, which allows user-assisted remote attackers to manipulate arbitrary X window properties and execute arbitrary commands. rxvt-unicode anterior a 9.20 no maneja debidamente secuencias de escape OSC, lo que permite a atacantes remotos asistidos por usuario manipular propiedades de ventana X y ejecutar comandos arbitrarios. • http://dist.schmorp.de/rxvt-unicode/Changes http://lists.opensuse.org/opensuse-security-announce/2014-06/msg00026.html http://lists.opensuse.org/opensuse-updates/2014-06/msg00038.html http://seclists.org/oss-sec/2014/q2/204 http://www.debian.org/security/2014/dsa-2925 http://www.securityfocus.com/bid/67155 https://lists.fedoraproject.org/pipermail/package-announce/2014-May/133166.html https://lists.fedoraproject.org/pipermail/package-announce/2014-May/133195.html • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •

CVSS: 3.7EPSS: 0%CPEs: 118EXPL: 0

rxvt 2.6.4 opens a terminal window on :0 if the DISPLAY environment variable is not set, which might allow local users to hijack X11 connections. NOTE: it was later reported that rxvt-unicode, mrxvt, aterm, multi-aterm, and wterm are also affected. NOTE: realistic attack scenarios require that the victim enters a command on the wrong machine. Rxvt versión 2.6.4 abre una ventana terminal en :0 si no se establece la variable de entorno DISPLAY, lo que podría permitir a los usuarios locales secuestrar conexiones X11. NOTA: más tarde se informó que rxvt-unicode, mrxvt, aterm, multi-aterm y wterm también se ven afectados. • http://article.gmane.org/gmane.comp.security.oss.general/122 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=469296 http://lists.opensuse.org/opensuse-security-announce/2008-08/msg00006.html http://secunia.com/advisories/29576 http://secunia.com/advisories/30224 http://secunia.com/advisories/30225 http://secunia.com/advisories/30226 http://secunia.com/advisories/30227 http://secunia.com/advisories/30229 http://secunia.com/advisories/31687 http://security.gentoo.org/glsa/glsa • CWE-264: Permissions, Privileges, and Access Controls •

CVSS: 4.6EPSS: 0%CPEs: 1EXPL: 0

rxvt-unicode before 6.3, on certain platforms that use openpty and non-Unix pty devices such as Linux and most BSD platforms, does not maintain the intended permissions of tty devices, which allows local users to gain read and write access to the devices. • http://dist.schmorp.de/rxvt-unicode/Changes http://secunia.com/advisories/18301 http://www.osvdb.org/22223 http://www.vupen.com/english/advisories/2006/0052 •

CVSS: 7.5EPSS: 2%CPEs: 19EXPL: 0

Buffer overflow in command.C for rxvt-unicode before 5.3 allows remote attackers to execute arbitrary code via a crafted file containing long escape sequences. • http://bugs.gentoo.org/show_bug.cgi?id=84680 http://www.gentoo.org/security/en/glsa/glsa-200503-23.xml •

CVSS: 4.6EPSS: 0%CPEs: 2EXPL: 0

RXVT-Unicode 3.4 and 3.5 does not properly close file descriptors, which allows local users to access the terminals of other users and possibly gain privileges. • http://cvs.schmorp.de/browse/rxvt-unicode/Changes?view=markup http://secunia.com/advisories/12299 http://www.osvdb.org/8710 http://www.securityfocus.com/bid/10959 https://exchange.xforce.ibmcloud.com/vulnerabilities/17000 •