Invisible-island » Xterm : Security Vulnerabilities, CVEs,
xterm before 380 supports ReGIS reporting for character-set names even if they have unexpected characters (i.e., neither alphanumeric nor underscore), aka a pointer/overflow issue. This can only occur for xterm installations that are configured at compile time to use a certain experimental feature.
Max CVSS
9.8
EPSS Score
0.09%
Published
2023-08-14
Updated
2023-09-07
xterm before 375 allows code execution via font ops, e.g., because an OSC 50 response may have Ctrl-g and therefore lead to command execution within the vi line-editing mode of Zsh. NOTE: font ops are not allowed in the xterm default configurations of some Linux distributions.
Max CVSS
9.8
EPSS Score
0.23%
Published
2022-11-10
Updated
2022-12-02
xterm through Patch 370, when Sixel support is enabled, allows attackers to trigger a buffer overflow in set_sixel in graphics_sixel.c via crafted text.
Max CVSS
5.5
EPSS Score
0.08%
Published
2022-01-31
Updated
2022-08-19
xterm before Patch #366 allows remote attackers to execute arbitrary code or cause a denial of service (segmentation fault) via a crafted UTF-8 combining character sequence.
Max CVSS
9.8
EPSS Score
4.38%
Published
2021-02-10
Updated
2022-09-30
CRLF injection vulnerability in xterm allows user-assisted attackers to execute arbitrary commands via LF (aka \n) characters surrounding a command name within a Device Control Request Status String (DECRQSS) escape sequence in a text file, a related issue to CVE-2003-0063 and CVE-2003-0071.
Max CVSS
9.3
EPSS Score
1.31%
Published
2009-01-02
Updated
2023-07-27
The default configuration of xterm on Debian GNU/Linux sid and possibly Ubuntu enables the allowWindowOps resource, which allows user-assisted attackers to execute arbitrary code or have unspecified other impact via escape sequences.
Max CVSS
9.3
EPSS Score
0.30%
Published
2009-01-02
Updated
2018-10-03
6 vulnerabilities found