9.3 High
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:M/Au:N/C:C/I:C/A:C
0.011 Low
EPSS
Percentile
83.9%
Vim 7.1.314, 6.4, and other versions allows user-assisted remote attackers
to execute arbitrary commands via Vim scripts that do not properly sanitize
inputs before invoking the execute or system functions, as demonstrated
using (1) filetype.vim, (3) xpm.vim, (4) gzip_vim, and (5) netrw. NOTE:
the originally reported version was 7.1.314, but the researcher actually
found this set of issues in 7.1.298. NOTE: the zipplugin issue (originally
vector 2 in this identifier) has been subsumed by CVE-2008-3075.