Vulnerabilities
Projects
Vulnerability Disclosure
About Us
Contact Us
Mend.io Vulnerability Database
What is a CVE vulnerability ID? 
What is a WS vulnerability ID?
What is an MSC vulnerability ID?
New vulnerability? Tell us about it!
What is a WS vulnerability ID?
What is an MSC vulnerability ID?
We found results for “”
CVE-2021-3727
Date: November 30, 2021
Vulnerability in "rand-quote" and "hitokoto" plugins Description: the "rand-quote" and "hitokoto" fetch quotes from quotationspage.com and hitokoto.cn respectively, do some process on them and then use "print -P" to print them. If these quotes contained the proper symbols, they could trigger command injection. Given that they're an external API, it's not possible to know if the quotes are safe to use. Fixed in: "72928432" (https://github.com/ohmyzsh/ohmyzsh/commit/72928432). Impacted areas: - "rand-quote" plugin ("quote" function). - "hitokoto" plugin ("hitokoto" function).
Language: SHELL
Severity Score
Severity Score
Weakness Type (CWE)
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CWE-78CVSS v3.1
| Base Score: |
|
|---|---|
| Attack Vector (AV): | NETWORK |
| Attack Complexity (AC): | HIGH |
| Privileges Required (PR): | NONE |
| User Interaction (UI): | REQUIRED |
| Scope (S): | UNCHANGED |
| Confidentiality (C): | HIGH |
| Integrity (I): | HIGH |
| Availability (A): | HIGH |
CVSS v2
| Base Score: |
|
|---|---|
| Access Vector (AV): | NETWORK |
| Access Complexity (AC): | LOW |
| Authentication (AU): | NONE |
| Confidentiality (C): | PARTIAL |
| Integrity (I): | PARTIAL |
| Availability (A): | PARTIAL |
| Additional information: |