Total
3 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2020-17353 | 4 Debian, Fedoraproject, Lilypond and 1 more | 5 Debian Linux, Fedora, Lilypond and 2 more | 2023-01-23 | 7.5 HIGH | 9.8 CRITICAL |
| scm/define-stencil-commands.scm in LilyPond through 2.20.0, and 2.21.x through 2.21.4, when -dsafe is used, lacks restrictions on embedded-ps and embedded-svg, as demonstrated by including dangerous PostScript code. | |||||
| CVE-2018-10992 | 1 Lilypond | 1 Lilypond | 2020-08-24 | 7.5 HIGH | 9.8 CRITICAL |
| lilypond-invoke-editor in LilyPond 2.19.80 does not validate strings before launching the program specified by the BROWSER environment variable, which allows remote attackers to conduct argument-injection attacks via a crafted URL, as demonstrated by a --proxy-pac-file argument, because the GNU Guile code uses the system Scheme procedure instead of the system* Scheme procedure. NOTE: this vulnerability exists because of an incomplete fix for CVE-2017-17523. | |||||
| CVE-2017-17523 | 1 Lilypond | 1 Lilypond | 2017-12-29 | 6.8 MEDIUM | 8.8 HIGH |
| lilypond-invoke-editor in LilyPond 2.19.80 does not validate strings before launching the program specified by the BROWSER environment variable, which allows remote attackers to conduct argument-injection attacks via a crafted URL, as demonstrated by a --proxy-pac-file argument. | |||||