CVE-2018-10992

Name of the Vulnerable Software and Affected Versions LilyPond version 2.19.80

Description The issue allows remote attackers to conduct argument-injection attacks via a crafted URL. This is because the lilypond-invoke-editor in LilyPond does not validate strings before launching the program specified by the BROWSER environment variable. The GNU Guile code uses the system Scheme procedure instead of the system* Scheme procedure, which leads to this problem.

Recommendations For LilyPond version 2.19.80, consider validating strings before launching the program specified by the BROWSER environment variable to prevent argument-injection attacks. As a temporary workaround, restrict the use of the BROWSER environment variable until a patch is available.