CVE-2023-27986
Summary
| CVE | CVE-2023-27986 |
|---|---|
| State | PUBLIC |
| Assigner | [email protected] |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2023-03-09 06:15:00 UTC |
| Updated | 2023-06-09 06:16:00 UTC |
| Description | emacsclient-mail.desktop in Emacs 28.1 through 28.2 is vulnerable to Emacs Lisp code injections through a crafted mailto: URI with unescaped double-quote characters. It is fixed in 29.0.90. |
Risk And Classification
Problem Types: CWE-94
NVD Known Affected Configurations (CPE 2.3)
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| Shell command and Emacs Lisp injection in emacsclient-mail.desktop - /dev/posts/ | MISC | www.gabriel.urdhr.fr | |
| oss-security - Shell command and Emacs Lisp code injection in emacsclient-mail.desktop | MISC | www.openwall.com | |
| emacs.git - Emacs source repository | MISC | git.savannah.gnu.org | |
| oss-security - Re: Shell command and Emacs Lisp code injection in emacsclient-mail.desktop | MLIST | www.openwall.com | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
Legacy QID Mappings
- 183276 Debian Security Update for emacs (CVE-2023-27986)
- 355108 Amazon Linux Security Advisory for emacs : ALAS2023-2023-134
- 502849 Alpine Linux Security Update for emacs
- 503182 Alpine Linux Security Update for emacs
- 506042 Alpine Linux Security Update for emacs
- 906686 Common Base Linux Mariner (CBL-Mariner) Security Update for emacs (25603-3)