CVE-2019-0542 — Code Injection in Xterm.js

CWE-94 — Code Injection CWE-77 — Command Injection8 documents7 sources

Severity

8.8HIGHNVD

EPSS

1.7%

top 17.75%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Redhat Openshift Container Platform Xtermjs Xterm.js Invisible-island Xterm +1 more

Timeline

PublishedJan 9

Latest updateJan 23

Description

A remote code execution vulnerability exists in Xterm.js when the component mishandles special characters, aka "Xterm Remote Code Execution Vulnerability." This affects xterm.js.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages4 packages

▶NVDxtermjs/xterm.js< 5.0.0

▶npminvisible-island/xterm3.9.0 — 3.9.2+2

▶CVEListV5https/xtermjs.org_xterm.jsxterm.js

▶NVDredhat/openshift_container_platform3.9 — 3.9.99+2

🔴Vulnerability Details

OSV

xterm vulnerable to remote code execution↗2019-01-14

▶

GHSA

xterm vulnerable to remote code execution↗2019-01-14

▶

CVEList

CVE-2019-0542: A remote code execution vulnerability exists in Xterm↗2019-01-09

▶

OSV

CVE-2019-0542: A remote code execution vulnerability exists in Xterm↗2019-01-09

▶

📋Vendor Advisories

Red Hat

xterm.js: Mishandling of special characters allows for remote code execution↗2019-01-09

▶

Debian

CVE-2019-0542: node-xterm - A remote code execution vulnerability exists in Xterm.js when the component mish...↗2019

▶

💬Community

Bugzilla

CVE-2019-0542 xterm.js: Mishandling of special characters allows for remote code execution↗2019-01-23

▶