Skip to content

Cmder emits control characters into the title which can execute commands.

Critical
MartiUK published GHSA-q8jh-m5px-rcxf Jul 27, 2023

Package

cmder

Affected versions

<= 1.3.21

Patched versions

>= 1.3.24

Description

Impact

Despite the fix for GHSA-vm56-hh5p-448v, cmder can still emit control characters to the title which can execute commands.

Patches

Cmder will use an updated version of ConEmu that is patched.

Workarounds

Ideally you should upgrade but you can change ConEmu in the vendor/sources.json file to the latest version and run the scripts/build.ps1 file. That should download and unpack the latest version.

References

https://github.com/orgs/cmderdev/discussions/2864
Maximus5/ConEmu#2536

Severity

Critical
9.8
/ 10

CVSS base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
None
User interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVE ID

CVE-2023-39150

Weaknesses

Credits