{"vulnerability": "cve-2020-2734", "sightings": [{"uuid": "ef66fb24-f72d-46ad-943a-f84789b482fe", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2020-27348", "type": "seen", "source": "https://t.me/arpsyndicate/4767", "content": "#ExploitObserverAlert\n\nCVE-2020-27348\n\nDESCRIPTION: Exploit Observer has 9 entries in 4 file formats related to CVE-2020-27348. In some conditions, a snap package built by snapcraft includes the current directory in LD_LIBRARY_PATH, allowing a malicious snap to gain code execution within the context of another snap if both plug the home interface or similar. This issue affects snapcraft versions prior to 4.4.4, prior to 2.43.1+16.04.1, and prior to 2.43.1+18.04.1.\n\nFIRST-EPSS: 0.000900000\nNVD-IS: 5.5\nNVD-ES: 1.3\nARPS-PRIORITY: 0.7040618", "creation_timestamp": "2024-04-23T19:19:00.000000Z"}, {"uuid": "3582a546-e651-41da-91ae-28d9eb31e2e2", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2020-27340", "type": "seen", "source": "https://t.me/cibsecurity/21047", "content": "\u203c CVE-2020-27340 \u203c\n\nThe online help portal of Mitel MiCollab before 9.2 could allow an attacker to redirect a user to an unauthorized website by executing malicious script due to insufficient access control.\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2020-12-18T12:46:40.000000Z"}, {"uuid": "17d6c7c4-1190-42fb-9d5c-cf5071bb02a0", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2020-27344", "type": "seen", "source": "https://t.me/arpsyndicate/156", "content": "#ExploitObserverAlert\n\nCVE-2020-27344\n\nDESCRIPTION: Exploit Observer has 3 entries related to CVE-2020-27344. The cm-download-manager plugin before 2.8.0 for WordPress allows XSS.\n\nFIRST-EPSS: 0.000760000\nNVD-IS: 2.7\nNVD-ES: 2.8", "creation_timestamp": "2023-11-13T18:56:21.000000Z"}, {"uuid": "418d3ec1-a779-411f-826b-83aebcd41efc", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2020-27349", "type": "seen", "source": "https://t.me/cibsecurity/17469", "content": "\u203c CVE-2020-27349 \u203c\n\nAptdaemon performed policykit checks after interacting with potentially untrusted files with elevated privileges. This affected versions prior to 1.1.1+bzr982-0ubuntu34.1, 1.1.1+bzr982-0ubuntu32.3, 1.1.1+bzr982-0ubuntu19.5, 1.1.1+bzr982-0ubuntu14.5.\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2020-12-09T08:25:14.000000Z"}, {"uuid": "a900cb89-4d05-4820-ba38-bdec17d7a733", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2020-27349", "type": "seen", "source": "https://t.me/cibsecurity/17549", "content": "\u203c CVE-2020-27349 \u203c\n\nAptdaemon performed policykit checks after interacting with potentially untrusted files with elevated privileges. This affected versions prior to 1.1.1+bzr982-0ubuntu34.1, 1.1.1+bzr982-0ubuntu32.3, 1.1.1+bzr982-0ubuntu19.5, 1.1.1+bzr982-0ubuntu14.5.\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2020-12-09T12:25:06.000000Z"}, {"uuid": "57536c88-1e4b-4fbb-a779-544cfda1ecdb", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2020-27348", "type": "seen", "source": "https://t.me/cibsecurity/17140", "content": "\u203c CVE-2020-27348 \u203c\n\nIn some conditions, a snap package built by snapcraft includes the current directory in LD_LIBRARY_PATH, allowing a malicious snap to gain code execution within the context of another snap if both plug the home interface or similar. This issue affects snapcraft versions prior to 4.4.4, prior to 2.43.1+16.04.1, and prior to 2.43.1+18.04.1.\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2020-12-04T07:26:42.000000Z"}, {"uuid": "e456cde6-9a3d-4410-b822-b45fc6308be9", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2020-27349", "type": "seen", "source": "https://t.me/cibsecurity/17489", "content": "\u203c CVE-2020-27349 \u203c\n\nAptdaemon performed policykit checks after interacting with potentially untrusted files with elevated privileges. This affected versions prior to 1.1.1+bzr982-0ubuntu34.1, 1.1.1+bzr982-0ubuntu32.3, 1.1.1+bzr982-0ubuntu19.5, 1.1.1+bzr982-0ubuntu14.5.\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2020-12-09T09:25:19.000000Z"}, {"uuid": "3f29209f-4209-4116-b0c9-a8c9ce9e91c1", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2020-27349", "type": "seen", "source": "https://t.me/cibsecurity/17529", "content": "\u203c CVE-2020-27349 \u203c\n\nAptdaemon performed policykit checks after interacting with potentially untrusted files with elevated privileges. This affected versions prior to 1.1.1+bzr982-0ubuntu34.1, 1.1.1+bzr982-0ubuntu32.3, 1.1.1+bzr982-0ubuntu19.5, 1.1.1+bzr982-0ubuntu14.5.\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2020-12-09T11:25:10.000000Z"}, {"uuid": "0dcd885c-4569-4bfd-b218-3f7c76076c13", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2020-27347", "type": "seen", "source": "https://t.me/cibsecurity/15961", "content": "\u203c CVE-2020-27347 \u203c\n\nThe function input_csi_dispatch_sgr_colon() in file input.c contained a stack-based buffer-overflow that can be exploited by terminal output.\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2020-11-06T07:50:24.000000Z"}, {"uuid": "45c411f8-7fa7-44c2-b91c-60061037f5b1", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2020-27349", "type": "seen", "source": "https://t.me/cibsecurity/17509", "content": "\u203c CVE-2020-27349 \u203c\n\nAptdaemon performed policykit checks after interacting with potentially untrusted files with elevated privileges. This affected versions prior to 1.1.1+bzr982-0ubuntu34.1, 1.1.1+bzr982-0ubuntu32.3, 1.1.1+bzr982-0ubuntu19.5, 1.1.1+bzr982-0ubuntu14.5.\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2020-12-09T10:25:10.000000Z"}, {"uuid": "0f2ce3a0-6060-47df-a2af-063616087c8a", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2020-27347", "type": "published-proof-of-concept", "source": "https://t.me/CyberSecurityTechnologies/2056", "content": "#exploit\n1. CVE-2020-27347:\ntmux BoF overflow in escape sequence parser\nhttps://seclists.org/oss-sec/2020/q4/100\n\n2. CVE-2020-27996, CVE-2020-27997:\nRCE/EoP in SmartStoreNET (.NET open source e-commerce system) ver. 4.0\nhttps://securitylab.github.com/advisories/GHSL-2020-138-139-SmartstoreAG-SmartStoreNET", "creation_timestamp": "2024-09-28T17:40:10.000000Z"}, {"uuid": "3dd9c513-d3c4-4aeb-9b53-7eded711bebb", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2020-27347", "type": "seen", "source": "https://gist.github.com/XlabAITeam/f0d9952595f795129a3258ba73bbc3cb", "content": "### Product\n\nProduct Name: tmux\n\nProduct URL: https://github.com/tmux/tmux.git\n\nAffected Versions: <= tmux 3.6a \n\nFixed Version: tmux 3.6b\n\nFix commit: https://github.com/tmux/tmux/commit/fc6d94a9f8a593bd8b7031650802084385d4ee03\n\n\n\n### Summary\n\ntmux is a widely used terminal multiplexer that allows users to manage multiple sessions within a single terminal window. tmux supports the Sixel graphics protocol (requires the `--enable-sixel` compile flag, which is enabled by default on some platforms such as Homebrew), allowing terminal programs to output pixel images to panes via standard output. Pixel images are centrally managed by the tmux server. Each image structure is simultaneously linked into a global LRU linked list and a per-screen linked list (`s->images`). The global list enforces a total count limit (default 20); when exceeded, the oldest image is evicted.\n\nWhen a user switches to the alternate screen, tmux migrates all nodes from `s->images` to `s->saved_images` in bulk, but the references in the global LRU list remain unchanged. When LRU eviction occurs, the deallocation function `image_free` unconditionally performs a linked-list removal from `s->images`, without considering that the node may have already been migrated to `s->saved_images`. Performing a doubly-linked list removal on the wrong list corrupts the list metadata, producing a cross-list out-of-bounds write primitive. Meanwhile, the removed node is immediately freed, but the residual pointer in `s->saved_images` still points to the freed memory, constituting a use-after-free. \n\nAn attacker can craft a specific byte sequence and trick a user into outputting it within a tmux pane (e.g., by having the user view a maliciously crafted file in a pane). This triggers the memory corruption in the tmux server process running in the user's environment, which can cause the tmux server process to crash, resulting in the loss of all user sessions and windows \u2014 a denial of service. The attacker may further exploit this UAF write primitive for heap layout manipulation to achieve arbitrary code execution.\n\nCWE: CWE-416: Use After Free\n\n\n### Details\n\n`image_free` in `image.c` always removes the target `struct image` from `s->images`, but after `screen_alternate_on` the image resides in `s->saved_images` instead. Calling `TAILQ_REMOVE` on the wrong list corrupts the TAILQ doubly-linked list metadata of both `s->images` and `s->saved_images`, producing exploitable heap-metadata corruption and/or server crash.\n\n1. Entry Point \u2014 Sixel sequence received from pane process\n\n**File:** `input.c` **Function:** `input_dcs_dispatch()` (line 2583) **Code:**\n\n```c\nsi = sixel_parse(buf, len, p2, w->xpixel, w->ypixel);\nif (si != NULL)\n    screen_write_sixelimage(sctx, si, ictx->cell.cell.bg);\n```\n\n**Issue:** Any data written to a pane's PTY can produce a valid Sixel DCS sequence. This is the untrusted boundary: Spawned Shell / Pane Process \u2192 tmux Server.\n\n2. Image stored and added to both `s->images` and global `all_images`\n\n**File:** `image.c` **Function:** `image_store()` (lines 139\u2013146) **Code:**\n\n```c\nTAILQ_INSERT_TAIL(&s->images, im, entry);          // per-screen list\nTAILQ_INSERT_TAIL(&all_images, im, all_entry);     // global LRU list\nif (++all_images_count == MAX_IMAGE_COUNT)\n    image_free(TAILQ_FIRST(&all_images));          // evict oldest\nreturn (im);\n```\n\n**Issue:** The image is linked into both a per-screen list (`s->images`, via `entry`) and a global list (`all_images`, via `all_entry`). The two linkages are independent fields of `struct image`.\n\n3. Alternate-screen switch silently moves images to `saved_images`\n\n**File:** `screen.c` **Function:** `screen_alternate_on()` (line 667) **Code:**\n\n```c\nTAILQ_CONCAT(&s->saved_images, &s->images, entry);\n```\n\n**Issue:** `TAILQ_CONCAT` splices all elements of `s->images` onto the end of `s->saved_images` and then sets `s->images` to empty. After this call every previously-stored image still lives in `all_images` (via `all_entry`) but now lives in `s->saved_images` (not `s->images`) via `entry`. The `im->s` backpointer still points to the same `screen *s`.\n\n4. Eviction via LRU calls `image_free` with wrong per-screen list\n\n**File:** `image.c` **Function:** `image_free()` (lines 54\u201367) **Code:**\n\n```c\nstatic void\nimage_free(struct image *im)\n{\n    struct screen *s = im->s;\n\n    TAILQ_REMOVE(&all_images, im, all_entry);    // correct: removes from global list\n    all_images_count--;\n\n    TAILQ_REMOVE(&s->images, im, entry);         // BUG: im is in s->saved_images, not s->images\n    sixel_free(im->data);\n    free(im->fallback);\n    free(im);\n}\n```\n\n**Issue:** `image_free` unconditionally removes `im` from `s->images`. If the image has been moved to `s->saved_images` by `screen_alternate_on`, this is the wrong list. `TAILQ_REMOVE` on the wrong TAILQ corrupts both list's head/tail/prev pointers. See Vulnerability Description for the exact corruption.\n\n5. Corruption propagated on next list operation\n\n**File:** `image.c` (and callers) **Function:** any subsequent TAILQ operation on `s->images` or `s->saved_images` **Code:**\n\n```c\n// Any of: TAILQ_INSERT_TAIL(&s->images, ...), TAILQ_FOREACH_SAFE(..., &s->images, ...),\n//          TAILQ_CONCAT(&s->images, &s->saved_images, entry)   [in screen_alternate_off]\n```\n\n**Issue:** A corrupted TAILQ causes write-what-where heap corruption, use-after-free when iterating, or NULL dereference, depending on what state the list was left in by the `TAILQ_REMOVE` of a non-member.\n\n\n\n### Impact\n\nAn attacker can craft a specific byte sequence and trick a user into outputting it within a tmux pane (e.g., by having the user view a maliciously crafted file in a pane). This triggers the memory corruption in the tmux server process running in the user's environment, which can cause the tmux server process to crash, resulting in the loss of all user sessions and windows \u2014 a denial of service. The attacker may further exploit this UAF write primitive for heap layout manipulation to achieve arbitrary code execution.\n\n\n\n### Score\n\nSeverity: High, CVSS 4.0 Score: 7.8, Details: AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\n\n(Score referenced from CVE-2020-27347)\n\n\n\n### Credit\n\nThis vulnerability was discovered by:\n\n- XlabAI Team of Tencent Xuanwu Lab (xlabai@tencent.com)\n- Atuin Automated Vulnerability Discovery Engine\n- Guannan Wang (wgnbuaa@gmail.com), Zhanpeng Liu (pkugenuine@gmail.com), Guancheng Li (lgcpku@gmail.com)\n\n", "creation_timestamp": "2026-05-22T06:27:44.000000Z"}, {"uuid": "3759d7d8-f672-459d-b3e8-0f84fdba732e", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2020-27346", "type": "seen", "source": "https://t.me/cibsecurity/15822", "content": "\u203c CVE-2020-27346 \u203c\n\n** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Notes: none.\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2020-11-04T07:41:13.000000Z"}]}