CVE-2023-47104

CRITICAL

vareille tiny_file_dialogs < 3.15.0 - OS Command Injection via Shell Metacharacters in Input Data

Title source: llm

Description

tinyfiledialogs (aka tiny file dialogs) before 3.15.0 allows shell metacharacters (such as a backquote or a dollar sign) in titles, messages, and other input data. NOTE: this issue exists because of an incomplete fix for CVE-2020-36767, which only considered single and double quote characters.

References (2)

Core 2

Core References

Exploit, Issue Tracking, Third Party Advisory

https://github.com/servo/servo/issues/25498#issuecomment-703527082

Patch

https://sourceforge.net/p/tinyfiledialogs/code/ci/ac9f9f6d8cdf45ca8d9b4cf1f201ee472301e114/

Scores

CVSS v3 9.8

EPSS 0.0072

EPSS Percentile 49.1%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact total

Details

CWE

CWE-77 CWE-78

Status published

Products (2)

vareille/tiny_file_dialogs < 3.15.0

vareille/tinyfiledialogs < 3.15.0

Published Oct 30, 2023

Tracked Since Feb 18, 2026