Vulnerabilities (CVE)

Filtered by vendor Planetargon Subscribe
Filtered by product Oh My Zsh
Total 5 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2021-3934 1 Planetargon 1 Oh My Zsh 2024-02-04 5.1 MEDIUM 7.5 HIGH
ohmyzsh is vulnerable to Improper Neutralization of Special Elements used in an OS Command
CVE-2021-3725 1 Planetargon 1 Oh My Zsh 2024-02-04 6.8 MEDIUM 8.8 HIGH
Vulnerability in dirhistory plugin Description: the widgets that go back and forward in the directory history, triggered by pressing Alt-Left and Alt-Right, use functions that unsafely execute eval on directory names. If you cd into a directory with a carefully-crafted name, then press Alt-Left, the system is subject to command injection. Impacted areas: - Functions pop_past and pop_future in dirhistory plugin.
CVE-2021-3726 1 Planetargon 1 Oh My Zsh 2024-02-04 7.5 HIGH 9.8 CRITICAL
# Vulnerability in `title` function **Description**: the `title` function defined in `lib/termsupport.zsh` uses `print` to set the terminal title to a user-supplied string. In Oh My Zsh, this function is always used securely, but custom user code could use the `title` function in a way that is unsafe. **Fixed in**: [a263cdac](https://github.com/ohmyzsh/ohmyzsh/commit/a263cdac). **Impacted areas**: - `title` function in `lib/termsupport.zsh`. - Custom user code using the `title` function.
CVE-2021-3769 1 Planetargon 1 Oh My Zsh 2024-02-04 10.0 HIGH 9.8 CRITICAL
# Vulnerability in `pygmalion`, `pygmalion-virtualenv` and `refined` themes **Description**: these themes use `print -P` on user-supplied strings to print them to the terminal. All of them do that on git information, particularly the branch name, so if the branch has a specially-crafted name the vulnerability can be exploited. **Fixed in**: [b3ba9978](https://github.com/ohmyzsh/ohmyzsh/commit/b3ba9978). **Impacted areas**: - `pygmalion` theme. - `pygmalion-virtualenv` theme. - `refined` theme.
CVE-2021-3727 1 Planetargon 1 Oh My Zsh 2024-02-04 7.5 HIGH 9.8 CRITICAL
# Vulnerability in `rand-quote` and `hitokoto` plugins **Description**: the `rand-quote` and `hitokoto` fetch quotes from quotationspage.com and hitokoto.cn respectively, do some process on them and then use `print -P` to print them. If these quotes contained the proper symbols, they could trigger command injection. Given that they're an external API, it's not possible to know if the quotes are safe to use. **Fixed in**: [72928432](https://github.com/ohmyzsh/ohmyzsh/commit/72928432). **Impacted areas**: - `rand-quote` plugin (`quote` function). - `hitokoto` plugin (`hitokoto` function).