← Back to CVE List

CVE-2021-3727

Published: 2021-11-30T10:15Z
Last Modified: 2024-11-21T06:22Z
Source: MITRE CVE List
License: MITRE-CVE-TOS
# Vulnerability in `rand-quote` and `hitokoto` plugins **Description**: the `rand-quote` and `hitokoto` fetch quotes from quotationspage.com and hitokoto.cn respectively, do some process on them and then use `print -P` to print them. If these quotes contained the proper symbols, they could trigger command injection. Given that they're an external API, it's not possible to know if the quotes are safe to use. **Fixed in**: [72928432](https://github.com/ohmyzsh/ohmyzsh/commit/72928432). **Impacted areas**: - `rand-quote` plugin (`quote` function). - `hitokoto` plugin (`hitokoto` function). > MITRE Terms of Use apply – see LICENSE‑MITRE.txt