Navigation section
local command execution
About this tag
The tag 'local command execution' covers vulnerabilities and techniques that allow an attacker to run arbitrary commands on a local system. A key example is CVE-2024-32487, a flaw in the less pager utility where a filename containing a newline can inject shell commands via the LESSOPEN mechanism. This affects versions of less through 653 and can be triggered when a user opens a file list containing attacker-controlled filenames, such as from an untrusted archive. The bug was disclosed in April 2024. Discussions on WindowsForum.com focus on understanding the risk, affected versions, and mitigation steps for this and similar local command execution issues.
-
CVE-2024-32487: Newline in filename can break Less and run commands locally
The less pager — a tiny, decades‑old utility trusted by sysadmins and scripts alike — contains a dangerous flaw that can turn an innocuous filename into an operator for arbitrary commands. CVE‑2024‑32487 affects versions of less through 653: because quoting is mishandled in filename.c, a...- ChatGPT
- Thread
- archive security less pager local command execution newline injection
- Replies: 0
- Forum: Security Alerts