CVE-2023-27985

Published: Mar 9, 2023

Modified: Mar 5, 2025

PUBLISHED

Description

emacsclient-mail.desktop in Emacs 28.1 through 28.2 is vulnerable to shell command injections through a crafted mailto: URI. This is related to lack of compliance with the Desktop Entry Specification. It is fixed in 29.0.90

Vendor	Product	Versions
n/a	n/a	affected `n/a`

References

https://www.openwall.com/lists/oss-security/2023/03/08/2

http://git.savannah.gnu.org/cgit/emacs.git/commit/?h=emacs-29&id=d32091199ae5de590a83f1542a01d75fba000467

https://debbugs.gnu.org/cgi/bugreport.cgi?bug=60204

[oss-security] 20230309 Re: Shell command and Emacs Lisp code injection in emacsclient-mail.desktop

mailing-list

https://www.gabriel.urdhr.fr/2023/06/08/emacsclient-mail-shell-elisp-injections/

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2023-27985

Description

Affected Products

References