CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
AI Score
Confidence
High
EPSS
Percentile
55.6%
rand-quote
and hitokoto
plugins Description: the rand-quote
and hitokoto
fetch quotes from quotationspage.com and hitokoto.cn respectively, do some process on them and then use print -P
to print them. If these quotes contained the proper symbols, they could trigger command injection. Given that they’re an external API, it’s not possible to know if the quotes are safe to use.Fixed in: 72928432.Impacted areas: - rand-quote
plugin (quote
function). - hitokoto
plugin (hitokoto
function).[
{
"product": "ohmyzsh/ohmyzsh",
"vendor": "ohmyzsh",
"versions": [
{
"lessThan": "72928432",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
]
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
AI Score
Confidence
High
EPSS
Percentile
55.6%