Invisible-Island Xterm vulnerabilities

7 known vulnerabilities affecting invisible-island/xterm.

Total CVEs
7
CISA KEV
0
Public exploits
1
Exploited in wild
0
Severity breakdown
CRITICAL5HIGH1MEDIUM1

Vulnerabilities

Page 1 of 1
CVE-2023-40359CRITICALCVSS 9.8fixed in 3802023-08-14
CVE-2023-40359 [CRITICAL] CVE-2023-40359: xterm before 380 supports ReGIS reporting for character-set names even if they have unexpected chara xterm before 380 supports ReGIS reporting for character-set names even if they have unexpected characters (i.e., neither alphanumeric nor underscore), aka a pointer/overflow issue. This can only occur for xterm installations that are configured at compile time to use a certain experimental feature.
nvdosv
CVE-2022-45063CRITICALCVSS 9.8fixed in 3752022-11-10
CVE-2022-45063 [CRITICAL] CWE-77 CVE-2022-45063: xterm before 375 allows code execution via font ops, e.g., because an OSC 50 response may have Ctrl- xterm before 375 allows code execution via font ops, e.g., because an OSC 50 response may have Ctrl-g and therefore lead to command execution within the vi line-editing mode of Zsh. NOTE: font ops are not allowed in the xterm default configurations of some Linux distributions.
nvdosv
CVE-2022-24130MEDIUMCVSS 5.5≤ 3702022-01-31
CVE-2022-24130 [MEDIUM] CWE-120 CVE-2022-24130: xterm through Patch 370, when Sixel support is enabled, allows attackers to trigger a buffer overflo xterm through Patch 370, when Sixel support is enabled, allows attackers to trigger a buffer overflow in set_sixel in graphics_sixel.c via crafted text.
nvdosv
CVE-2021-27135CRITICALCVSS 9.8fixed in 3662021-02-10
CVE-2021-27135 [CRITICAL] CVE-2021-27135: xterm before Patch #366 allows remote attackers to execute arbitrary code or cause a denial of servi xterm before Patch #366 allows remote attackers to execute arbitrary code or cause a denial of service (segmentation fault) via a crafted UTF-8 combining character sequence.
nvdosv
CVE-2019-0542HIGH≥ 0, < 3.8.1≥ 3.9.0, < 3.9.2+1 more2019-01-14
CVE-2019-0542 [HIGH] CWE-94 xterm vulnerable to remote code execution xterm vulnerable to remote code execution A remote code execution vulnerability exists in Xterm.js when the component mishandles special characters.
ghsaosv
CVE-2008-2383CRITICALCVSS 9.3v_nil_2009-01-02
CVE-2008-2383 [CRITICAL] CVE-2008-2383: CRLF injection vulnerability in xterm allows user-assisted attackers to execute arbitrary commands v CRLF injection vulnerability in xterm allows user-assisted attackers to execute arbitrary commands via LF (aka \n) characters surrounding a command name within a Device Control Request Status String (DECRQSS) escape sequence in a text file, a related issue to CVE-2003-0063 and CVE-2003-0071.
nvdosv
CVE-2006-7236CRITICALCVSS 9.3PoCv_nil_2009-01-02
CVE-2006-7236 [CRITICAL] CWE-16 CVE-2006-7236: The default configuration of xterm on Debian GNU/Linux sid and possibly Ubuntu enables the allowWind The default configuration of xterm on Debian GNU/Linux sid and possibly Ubuntu enables the allowWindowOps resource, which allows user-assisted attackers to execute arbitrary code or have unspecified other impact via escape sequences.
nvdosv