Skip to main content

Lilypond

3 CVEs product

Monthly

CVE-2020-17353 CRITICAL Act Now

scm/define-stencil-commands.scm in LilyPond through 2.20.0, and 2.21.x through 2.21.4, when -dsafe is used, lacks restrictions on embedded-ps and embedded-svg, as demonstrated by including dangerous. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Lilypond Fedora Debian Linux Backports Sle +1
NVD
CVSS 3.1
9.8
EPSS
2.4%
CVE-2018-10992 CRITICAL Act Now

lilypond-invoke-editor in LilyPond 2.19.80 does not validate strings before launching the program specified by the BROWSER environment variable, which allows remote attackers to conduct. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Code Injection Lilypond
NVD
CVSS 3.0
9.8
EPSS
1.5%
CVE-2017-17523 HIGH PATCH This Week

lilypond-invoke-editor in LilyPond 2.19.80 does not validate strings before launching the program specified by the BROWSER environment variable, which allows remote attackers to conduct. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Code Injection Lilypond
NVD
CVSS 3.0
8.8
EPSS
0.6%
EPSS 2% CVSS 9.8
CRITICAL Act Now

scm/define-stencil-commands.scm in LilyPond through 2.20.0, and 2.21.x through 2.21.4, when -dsafe is used, lacks restrictions on embedded-ps and embedded-svg, as demonstrated by including dangerous. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Lilypond Fedora +3
NVD
EPSS 2% CVSS 9.8
CRITICAL Act Now

lilypond-invoke-editor in LilyPond 2.19.80 does not validate strings before launching the program specified by the BROWSER environment variable, which allows remote attackers to conduct. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Code Injection Lilypond
NVD
EPSS 1% CVSS 8.8
HIGH PATCH This Week

lilypond-invoke-editor in LilyPond 2.19.80 does not validate strings before launching the program specified by the BROWSER environment variable, which allows remote attackers to conduct. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Code Injection Lilypond
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy