Skip to main content

Tex Live

5 CVEs product

Monthly

CVE-2023-32700 HIGH PATCH This Week

LuaTeX before 1.17.0 allows execution of arbitrary shell commands when compiling a TeX file obtained from an untrusted source. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. This Command Injection vulnerability could allow attackers to inject arbitrary commands into system command execution.

Command Injection Luatex Miktex Tex Live
NVD GitHub
CVSS 3.1
7.8
EPSS
0.8%
CVE-2023-32668 MEDIUM POC PATCH This Month

LuaTeX before 1.17.0 allows a document (compiled with the default settings) to make arbitrary network requests. Rated medium severity (CVSS 5.5), this vulnerability is no authentication required, low attack complexity. Public exploit code available.

Information Disclosure Luatex Miktex Tex Live
NVD
CVSS 3.1
5.5
EPSS
0.4%
CVE-2018-17407 HIGH PATCH This Week

An issue was discovered in t1_check_unusual_charstring functions in writet1.c files in TeX Live before 2018-09-21. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. This Buffer Overflow vulnerability could allow attackers to corrupt memory to execute arbitrary code or crash the application.

RCE Buffer Overflow Tex Live Ubuntu Linux Debian Linux
NVD GitHub
CVSS 3.0
7.8
EPSS
2.1%
CVE-2017-17513 HIGH This Week

TeX Live through 20170524 does not validate strings before launching the program specified by the BROWSER environment variable, which might allow remote attackers to conduct argument-injection. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Code Injection Tex Live
NVD
CVSS 3.0
8.8
EPSS
0.5%
CVE-2016-10243 CRITICAL POC PATCH THREAT Act Now

TeX Live allows remote attackers to execute arbitrary commands by leveraging inclusion of mpost in shell_escape_commands in the texmf.cnf config file. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 10.6%.

Information Disclosure Debian Linux Fedora Tex Live
NVD
CVSS 3.0
9.8
EPSS
10.6%
EPSS 1% CVSS 7.8
HIGH PATCH This Week

LuaTeX before 1.17.0 allows execution of arbitrary shell commands when compiling a TeX file obtained from an untrusted source. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. This Command Injection vulnerability could allow attackers to inject arbitrary commands into system command execution.

Command Injection Luatex Miktex +1
NVD GitHub
EPSS 0% CVSS 5.5
MEDIUM POC PATCH This Month

LuaTeX before 1.17.0 allows a document (compiled with the default settings) to make arbitrary network requests. Rated medium severity (CVSS 5.5), this vulnerability is no authentication required, low attack complexity. Public exploit code available.

Information Disclosure Luatex Miktex +1
NVD
EPSS 2% CVSS 7.8
HIGH PATCH This Week

An issue was discovered in t1_check_unusual_charstring functions in writet1.c files in TeX Live before 2018-09-21. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. This Buffer Overflow vulnerability could allow attackers to corrupt memory to execute arbitrary code or crash the application.

RCE Buffer Overflow Tex Live +2
NVD GitHub
EPSS 1% CVSS 8.8
HIGH This Week

TeX Live through 20170524 does not validate strings before launching the program specified by the BROWSER environment variable, which might allow remote attackers to conduct argument-injection. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Code Injection Tex Live
NVD
EPSS 11% CVSS 9.8
CRITICAL POC PATCH THREAT Act Now

TeX Live allows remote attackers to execute arbitrary commands by leveraging inclusion of mpost in shell_escape_commands in the texmf.cnf config file. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 10.6%.

Information Disclosure Debian Linux Fedora +1
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy