Vulnerability Details CVE-2017-17521
uiutil.c in FontForge through 20170731 does not validate strings before launching the program specified by the BROWSER environment variable, which might allow remote attackers to conduct argument-injection attacks via a crafted URL, a different vulnerability than CVE-2017-17534.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.005
EPSS Ranking 63.3%
CVSS Severity
CVSS v3 Score 8.8
CVSS v2 Score 6.8
References
Products affected by CVE-2017-17521
-
cpe:2.3:a:fontforge:fontforge:2.0.20140101
-
cpe:2.3:a:fontforge:fontforge:2.1.0
-
cpe:2.3:a:fontforge:fontforge:20110222
-
cpe:2.3:a:fontforge:fontforge:20120731
-
cpe:2.3:a:fontforge:fontforge:20140101
-
cpe:2.3:a:fontforge:fontforge:20140813
-
cpe:2.3:a:fontforge:fontforge:20141013
-
cpe:2.3:a:fontforge:fontforge:20141014
-
cpe:2.3:a:fontforge:fontforge:20141126
-
cpe:2.3:a:fontforge:fontforge:20141230
-
cpe:2.3:a:fontforge:fontforge:20150228
-
cpe:2.3:a:fontforge:fontforge:20150330
-
cpe:2.3:a:fontforge:fontforge:20150430
-
cpe:2.3:a:fontforge:fontforge:20150612
-
cpe:2.3:a:fontforge:fontforge:20150824
-
cpe:2.3:a:fontforge:fontforge:20160403
-
cpe:2.3:a:fontforge:fontforge:20160404
-
cpe:2.3:a:fontforge:fontforge:20160930
-
cpe:2.3:a:fontforge:fontforge:20161001
-
cpe:2.3:a:fontforge:fontforge:20161004
-
cpe:2.3:a:fontforge:fontforge:20161005
-
cpe:2.3:a:fontforge:fontforge:20161012
-
cpe:2.3:a:fontforge:fontforge:20170730
-
cpe:2.3:a:fontforge:fontforge:20170731