CVE-2018-10992

CRITICAL

LilyPond 2.19.80 - Command Injection

Title source: llm

Description

lilypond-invoke-editor in LilyPond 2.19.80 does not validate strings before launching the program specified by the BROWSER environment variable, which allows remote attackers to conduct argument-injection attacks via a crafted URL, as demonstrated by a --proxy-pac-file argument, because the GNU Guile code uses the system Scheme procedure instead of the system* Scheme procedure. NOTE: this vulnerability exists because of an incomplete fix for CVE-2017-17523.

References (1)

[Issue Tracking, Third Party Advisory] https://bugs.debian.org/898373

Scores

CVSS v3 9.8

EPSS 0.0073

EPSS Percentile 72.4%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Classification

CWE

CWE-88

Status published

Affected Products (1)

lilypond/lilypond

Timeline

Published May 11, 2018

Tracked Since Feb 18, 2026