GNU Emacs <=28.2 htmlfontify.el Command Injection
CVE-2022-48339 Published on February 20, 2023

An issue was discovered in GNU Emacs through 28.2. htmlfontify.el has a command injection vulnerability. In the hfy-istext-command function, the parameter file and parameter srcdir come from external input, and parameters are not escaped. If a file name or directory name contains shell metacharacters, code may be executed.

Vendor Advisory Vendor Advisory Vendor Advisory NVD

Vulnerability Analysis

CVE-2022-48339 can be exploited with local system access, requires user interaction. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to be very high.

Attack Vector:
LOCAL
Attack Complexity:
LOW
Privileges Required:
NONE
User Interaction:
REQUIRED
Scope:
UNCHANGED
Confidentiality Impact:
HIGH
Integrity Impact:
HIGH
Availability Impact:
HIGH

Weakness Type

Inaccurate Comments

The source code contains comments that do not accurately describe or explain aspects of the portion of the code with which the comment is associated.


Products Associated with CVE-2022-48339

stack.watch emails you whenever new vulnerabilities are published in GNU Emacs or Canonical Ubuntu Linux. Just hit a watch button to start following.

GNU Emacs
 
Canonical Ubuntu Linux
 

Exploit Probability

EPSS
0.09%
Percentile
25.72%

EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.