High severity8.8NVD Advisory· Published Dec 11, 2017· Updated May 13, 2026
CVE-2017-17523
CVE-2017-17523
Description
lilypond-invoke-editor in LilyPond 2.19.80 does not validate strings before launching the program specified by the BROWSER environment variable, which allows remote attackers to conduct argument-injection attacks via a crafted URL, as demonstrated by a --proxy-pac-file argument.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- sourceforge.net/p/testlilyissues/issues/5243/nvdIssue TrackingPatch
- bugs.debian.org/881767nvdIssue TrackingThird Party Advisory
- bugs.debian.org/884136nvdIssue TrackingThird Party Advisory
News mentions
0No linked articles in our index yet.