emacsclient-mail.desktop in Emacs 28.1 through 28.2 is vulnerable to shell command injections through a crafted mailto: URI. This is related to lack of compliance with the Desktop Entry Specification. It is fixed in 29.0.90

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available.

  - emacsclient-mail.desktop in Emacs 28.1 through 28.2 is vulnerable to shell command injections through a     crafted mailto: URI. This is related to lack of compliance with the Desktop Entry Specification. It is     fixed in 29.0.90 (CVE-2023-27985)

Note that Nessus relies on the presence of the package as reported by the vendor.

The remote NewStart CGSL host, running version MAIN 7.02, has emacs packages installed that are affected by multiple vulnerabilities:

  - GNU Emacs through 28.2 allows attackers to execute commands via shell metacharacters in the name of a     source-code file, because lib-src/etags.c uses the system C library function in its implementation of the     etags program. For example, a victim may use the etags -u * command (suggested in the etags     documentation) in a situation where the current working directory has contents that depend on untrusted     input. (CVE-2022-48337)

  - GNU Emacs through 28.2 allows attackers to execute commands via shell metacharacters in the name of a     source-code file, because lib-src/etags.c uses the system C library function in its implementation of the     ctags program. For example, a victim may use the ctags * command (suggested in the ctags documentation)     in a situation where the current working directory has contents that depend on untrusted input.
    (CVE-2022-45939)

  - An issue was discovered in GNU Emacs through 28.2. In ruby-mode.el, the ruby-find-library-file function     has a local command injection vulnerability. The ruby-find-library-file function is an interactive     function, and bound to C-c C-f. Inside the function, the external command gem is called through shell-     command-to-string, but the feature-name parameters are not escaped. Thus, malicious Ruby source files may     cause commands to be executed. (CVE-2022-48338)

  - An issue was discovered in GNU Emacs through 28.2. htmlfontify.el has a command injection vulnerability.
    In the hfy-istext-command function, the parameter file and parameter srcdir come from external input, and     parameters are not escaped. If a file name or directory name contains shell metacharacters, code may be     executed. (CVE-2022-48339)

  - emacsclient-mail.desktop in Emacs 28.1 through 28.2 is vulnerable to shell command injections through a     crafted mailto: URI. This is related to lack of compliance with the Desktop Entry Specification. It is     fixed in 29.0.90 (CVE-2023-27985)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

An update of the emacs package has been released.

The version of emacs installed on the remote CBL Mariner 2.0 host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the CVE-2023-27985 advisory.

  - emacsclient-mail.desktop in Emacs 28.1 through 28.2 is vulnerable to shell command injections through a     crafted mailto: URI. This is related to lack of compliance with the Desktop Entry Specification. It is     fixed in 29.0.90 (CVE-2023-27985)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2023-2023-134 advisory.

    emacsclient-mail.desktop in Emacs 28.1 through 28.2 is vulnerable to shell command injections through a     crafted mailto: URI. This is related to lack of compliance with the Desktop Entry Specification.
    (CVE-2023-27985)

    emacsclient-mail.desktop in Emacs 28.1 through 28.2 is vulnerable to Emacs Lisp code injections through a     crafted mailto: URI with unescaped double-quote characters. (CVE-2023-27986)

Tenable has extracted the preceding description block directly from the tested product security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Severity
250067	Linux Distros Unpatched Vulnerability : CVE-2023-27985	Nessus	Misc.	high
242832	NewStart CGSL MAIN 7.02 : emacs Multiple Vulnerabilities (NS-SA-2025-0115)	Nessus	NewStart CGSL Local Security Checks	critical
204404	Photon OS 5.0: Emacs PHSA-2023-5.0-0048	Nessus	PhotonOS Local Security Checks	high
173385	CBL Mariner 2.0 Security Update: emacs (CVE-2023-27985)	Nessus	MarinerOS Local Security Checks	high
173343	Amazon Linux 2023 : emacs, emacs-common, emacs-devel (ALAS2023-2023-134)	Nessus	Amazon Linux Local Security Checks	high

Detections

Analytics

CVE-2023-27985

high

Tenable Plugins

high

critical

high

high

high