Command Injection Vulnerability in FontForge's Splinefont Component
CVE-2024-25081

4.2MEDIUM

Key Information:

Vendor: FontForge
Status: Fontforge
Vendor: CVE Published:; 26 February 2024

What is CVE-2024-25081?

A vulnerability has been identified in the Splinefont component of FontForge that allows command injection through the use of specially crafted filenames. This flaw indicates that malicious actors could potentially execute arbitrary commands on the affected system. It is crucial for users of FontForge to apply the latest security updates and implement necessary measures to mitigate risks associated with this vulnerability.

References

https://fontforge.org/en-US/downloads/

https://github.com/fontforge/fontforge/pull/5367

https://lists.debian.org/debian-lts-announce/2024/03/msg0...

mailing-list

CVSS V3.1

Score:

4.2

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Local

Attack Complexity:

High

Privileges Required:

Low

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Feb 26, 2024
Vulnerability Reserved
Feb 4, 2024

CVE-2024-25081 Data

JSON