CVE-2022-48339
20.02.2023, 23:15
An issue was discovered in GNU Emacs through 28.2. htmlfontify.el has a command injection vulnerability. In the hfy-istext-command function, the parameter file and parameter srcdir come from external input, and parameters are not escaped. If a file name or directory name contains shell metacharacters, code may be executed.Enginsight
| Vendor | Product | Version |
|---|---|---|
| gnu | emacs | 𝑥 ≤ 28.2 |
𝑥
= Vulnerable software versions
Debian Releases
Ubuntu Releases
Ubuntu Product | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| emacs |
| ||||||||||||||||||
| emacs23 |
| ||||||||||||||||||
| emacs24 |
| ||||||||||||||||||
| emacs25 |
| ||||||||||||||||||
| xemacs21 |
| ||||||||||||||||||
| xemacs21-packages |
|
Common Weakness Enumeration
- CWE-116 - Improper Encoding or Escaping of OutputThe software prepares a structured message for communication with another component, but encoding or escaping of the data is either missing or done incorrectly. As a result, the intended structure of the message is not preserved.
- CWE-1116 - Inaccurate CommentsThe source code contains comments that do not accurately describe or explain aspects of the portion of the code with which the comment is associated.
References