rpm package
opensuse/lilypond&distro=openSUSE Tumbleweed
pkg:rpm/opensuse/lilypond&distro=openSUSE%20Tumbleweed
Vulnerabilities (2)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2020-17353 | — | < 2.23.3-1.3 | 2.23.3-1.3 | Aug 5, 2020 | scm/define-stencil-commands.scm in LilyPond through 2.20.0, and 2.21.x through 2.21.4, when -dsafe is used, lacks restrictions on embedded-ps and embedded-svg, as demonstrated by including dangerous PostScript code. | ||
| CVE-2018-10992 | Cri | 9.8 | < 2.23.3-1.3 | 2.23.3-1.3 | May 11, 2018 | lilypond-invoke-editor in LilyPond 2.19.80 does not validate strings before launching the program specified by the BROWSER environment variable, which allows remote attackers to conduct argument-injection attacks via a crafted URL, as demonstrated by a --proxy-pac-file argument, |
- CVE-2020-17353Aug 5, 2020affected < 2.23.3-1.3fixed 2.23.3-1.3
scm/define-stencil-commands.scm in LilyPond through 2.20.0, and 2.21.x through 2.21.4, when -dsafe is used, lacks restrictions on embedded-ps and embedded-svg, as demonstrated by including dangerous PostScript code.
- affected < 2.23.3-1.3fixed 2.23.3-1.3
lilypond-invoke-editor in LilyPond 2.19.80 does not validate strings before launching the program specified by the BROWSER environment variable, which allows remote attackers to conduct argument-injection attacks via a crafted URL, as demonstrated by a --proxy-pac-file argument,