Description
# Vulnerability in `rand-quote` and `hitokoto` plugins **Description**: the `rand-quote` and `hitokoto` fetch quotes from quotationspage.com and hitokoto.cn respectively, do some process on them and then use `print -P` to print them. If these quotes contained the proper symbols, they could trigger command injection. Given that they're an external API, it's not possible to know if the quotes are safe to use. **Fixed in**: [72928432](https://github.com/ohmyzsh/ohmyzsh/commit/72928432). **Impacted areas**: - `rand-quote` plugin (`quote` function). - `hitokoto` plugin (`hitokoto` function).
References (1)
Core 1
Core References
Patch, Third Party Advisory x_refsource_misc
https://github.com/ohmyzsh/ohmyzsh/commit/72928432
Scores
CVSS v3
7.5
EPSS
0.0136
EPSS Percentile
80.3%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
Details
CWE
CWE-78
Status
published
Products (1)
planetargon/oh_my_zsh
< 72928432
Published
Nov 30, 2021
Tracked Since
Feb 18, 2026