Releases455
Frequency3 weeks 4 days
Last Release
Stars723
Less - text pager

CVE History

CVEAffectedPublishedCVSS v3CVSS v2
<= 6538.6 HIGH

less through 653 allows OS command execution via a newline character in the name of a file, because quoting is mishandled in filename.c. Exploitation typically requires use with attacker-controlled file names, such as the files extracted from an untrusted archive. Exploitation also requires the LESSOPEN environment variable, but this is set by default in many common cases.

< 6067.8 HIGH

close_altfile in filename.c in less before 606 omits shell_quote calls for LESSCLOSE.

>= 566, < 6097.5 HIGH

In GNU Less before 609, crafted data can result in "less -R" not filtering ANSI escape sequences sent to the terminal.