CVE-2023-51887: 
Linux Debian vulnerability analysis and mitigation

Command Injection vulnerability in Mathtex v.1.05 and before allows a remote attacker to execute arbitrary code via crafted string in application URL. The vulnerability was discovered and disclosed on January 24, 2024, affecting all versions of Mathtex up to and including version 1.05. The vulnerability has been assigned a CVSS v3.1 base score of 9.8 (Critical) (NVD).

The vulnerability exists in the main function where improper filtering allows attackers to bypass security controls and execute arbitrary commands. The issue specifically occurs in the processing of the \which directive, where the filtering mechanism can be circumvented. Attackers can use semicolons (;) to execute additional commands and can bypass whitespace filtering using $IFS. The vulnerability has been assigned CWE-77 (Improper Neutralization of Special Elements used in a Command) (Yulun Blog).

The vulnerability allows remote attackers to execute arbitrary commands on the affected system. Given the CVSS score of 9.8, this is considered a critical severity issue that could lead to complete system compromise, allowing attackers to execute commands with the same privileges as the web server process (NVD).

As of the current data, there is no official patch available for this vulnerability. Organizations using Mathtex v1.05 or earlier versions should consider disabling the application until a security update is available or implement strict input filtering at the web server level (Debian Tracker).