Vulnerability Details CVE-2017-17513
TeX Live through 20170524 does not validate strings before launching the program specified by the BROWSER environment variable, which might allow remote attackers to conduct argument-injection attacks via a crafted URL, related to linked_scripts/context/stubs/unix/mtxrun, texmf-dist/scripts/context/stubs/mswin/mtxrun.lua, and texmf-dist/tex/luatex/lualibs/lualibs-os.lua.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.005
EPSS Ranking 66.4%
CVSS Severity
CVSS v3 Score 8.8
CVSS v2 Score 6.8
References
Products affected by CVE-2017-17513
-
cpe:2.3:a:tug:tex_live:-
-
cpe:2.3:a:tug:tex_live:20010730
-
cpe:2.3:a:tug:tex_live:20020604
-
cpe:2.3:a:tug:tex_live:20030928
-
cpe:2.3:a:tug:tex_live:20041127
-
cpe:2.3:a:tug:tex_live:20051102
-
cpe:2.3:a:tug:tex_live:20070212
-
cpe:2.3:a:tug:tex_live:20080822
-
cpe:2.3:a:tug:tex_live:20091107
-
cpe:2.3:a:tug:tex_live:20100722
-
cpe:2.3:a:tug:tex_live:20100826
-
cpe:2.3:a:tug:tex_live:20110705
-
cpe:2.3:a:tug:tex_live:20120701
-
cpe:2.3:a:tug:tex_live:20130530
-
cpe:2.3:a:tug:tex_live:20140525
-
cpe:2.3:a:tug:tex_live:20150521
-
cpe:2.3:a:tug:tex_live:20150523
-
cpe:2.3:a:tug:tex_live:20160523
-
cpe:2.3:a:tug:tex_live:20170524
-
cpe:2.3:a:tug:tex_live:2018-09-21