In iTerm2 before 3.5.2, the "Terminal may report window title" setting is not honored, and thus remote code execution might occur but "is not trivially exploitable."
The user setting "Terminal may report window title", which should block the ability of the terminal to report the window title, is not actually enforced by the application. A malicious remote webpage can exploit this vulnerability (classified as CWE-94 – improper control of generation of code) to inject and execute arbitrary code on the victim's machine. The attack requires no authentication or user interaction, and access is gained over the network.
An attacker can remotely execute arbitrary code on the victim's system, potentially leading to complete system takeover, data exfiltration, or further lateral movement in the network.
iTerm2 should be updated to version 3.5.2 or later, available at https://iterm2.com/downloads.html. The fix was introduced in commit f1e89f78dd72dcac3ba66d3d6f93db3f7f649219.
iTerm2 versions earlier than 3.5.2
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HIterm2
APPIterm23.5.0 – 3.5.2 (bez)
Related vulnerabilities
iTerm2: wyciek danych z poleceń terminalowych przez plik /tmp/framer.txt
iTerm2: wstrzyknięcie kodu przez sekwencję escape w integracji tmux (RCE)
iTermSessionLauncher.m in iTerm2 before 3.5.0beta12 does not sanitize paths in x-man-page URLs. They may have ...
iTermSessionLauncher.m in iTerm2 before 3.5.0beta12 does not sanitize ssh hostnames in URLs. The hostname's in...
iTerm2 before 3.4.20 allow (potentially remote) code execution because of mishandling of certain escape sequen...