# Vulnerability in `rand-quote` and `hitokoto` plugins **Description**: the `rand-quote` and `hitokoto` fetch quotes from quotationspage.com and hitokoto.cn respectively, do some process on them and then use `print -P` to print them. If these quotes contained the proper symbols, they could trigger command injection. Given that they're an external API, it's not possible to know if the quotes are safe to use. **Fixed in**: [72928432](https://github.com/ohmyzsh/ohmyzsh/commit/72928432). **Impacted areas**: - `rand-quote` plugin (`quote` function). - `hitokoto` plugin (`hitokoto` function).
References
Link | Resource |
---|---|
https://github.com/ohmyzsh/ohmyzsh/commit/72928432 | Patch Third Party Advisory |
History
No history.
MITRE Information
Status: PUBLISHED
Assigner: @huntrdev
Published: 2021-11-30T09:30:17
Updated: 2021-11-30T09:30:17
Reserved: 2021-08-19T00:00:00
Link: CVE-2021-3727
JSON object: View
NVD Information
Status : Analyzed
Published: 2021-11-30T10:15:08.940
Modified: 2021-12-01T08:05:03.300
Link: CVE-2021-3727
JSON object: View
Redhat Information
No data.
CWE