CVE-2020-15271

Severity CVSS v4.0:
Pending analysis
Type:
CWE-78 OS Command Injections
Publication date:
26/10/2020
Last modified:
13/11/2020

Description

In lookatme (python/pypi package) versions prior to 2.3.0, the package automatically loaded the built-in "terminal" and "file_loader" extensions. Users that use lookatme to render untrusted markdown may have malicious shell commands automatically run on their system. This is fixed in version 2.3.0. As a workaround, the `lookatme/contrib/terminal.py` and `lookatme/contrib/file_loader.py` files may be manually deleted. Additionally, it is always recommended to be aware of what is being rendered with lookatme.

Vulnerable products and versions

CPE From Up to
cpe:2.3:a:lookatme_project:lookatme:*:*:*:*:*:*:*:* 2.3.0 (excluding)