How severe is CVE-2024-47611?

This vulnerability has a severity rating of MEDIUM with a CVSS score of N/A out of 10.

What type of vulnerability is CVE-2024-47611?

This is classified as CWE-88, which is a common weakness in software security.

CVE-2024-47611 - MEDIUM Severity | CVSS N/A

Vulnerability Description

XZ Utils provide a general-purpose data-compression library plus command-line tools. When built for native Windows (MinGW-w64 or MSVC), the command line tools from XZ Utils 5.6.2 and older have a command line argument injection vulnerability. If a command line contains Unicode characters (for example, filenames) that don't exist in the current legacy code page, the characters are converted to similar-looking characters with best-fit mapping. Some best-fit mappings result in ASCII characters that change the meaning of the command line, which can be exploited with malicious filenames to do argument injection or directory traversal attacks. This vulnerability is fixed in 5.6.3. Command line tools built for Cygwin or MSYS2 are unaffected. liblzma is unaffected.

Related Vulnerabilities

CVE-2018-3856

CRITICAL

CVSS:9.9(Critical)

An exploitable vulnerability exists in the smart cameras RTSP configuration of the Samsung SmartThings Hub STH-ETH-250 - Firmware version 0.20.17. The device incorrectly handles spaces in the URL fiel...

CWE-882018

CVE-2024-39930

CRITICAL

CVSS:9.9(Critical)

The built-in SSH server of Gogs through 0.13.0 allows argument injection in internal/ssh/ssh.go, leading to remote code execution. Authenticated attackers can exploit this by opening an SSH connection...

CWE-882024

CVE-2024-47553

CRITICAL

CVSS:9.9(Critical)

A vulnerability has been identified in Siemens SINEC Security Monitor (All versions < V4.9.0). The affected application does not properly validate user input to the ```ssmctl-client``` command. This c...

CWE-882024

CVE-2016-10033

CRITICAL

CVSS:9.8(Critical)

The mailSend function in the isMail transport in PHPMailer before 5.2.18 might allow remote attackers to pass extra parameters to the mail command and consequently execute arbitrary code via a \" (bac...

CWE-882016

CVE-2017-1001003

CRITICAL

CVSS:9.8(Critical)

math.js before 3.17.0 had an issue where private properties such as a constructor could be replaced by using unicode characters when creating an object.

CWE-882017

CVE-2018-10992

CRITICAL

CVSS:9.8(Critical)

lilypond-invoke-editor in LilyPond 2.19.80 does not validate strings before launching the program specified by the BROWSER environment variable, which allows remote attackers to conduct argument-injec...

CWE-882018