That's what the bug bounty person says about their CJ bug. Meanwhile: NVD has given this the same score as Shellshock, which is dispositive of how bad CVSS is.
Shellshock was a universal RCE in anything that ran bash with control over environment variables --- which included a huge subset of all web services, often on any code path in which bash was just incidentally run. Not only that, but the vulnerability was exploited in bash; it wasn't memory corruption, there were no system-specific offsets to limit the scope of exploits, nor could you have preemptively hardened a system against it with ASLR or W^X.
NVD gives Shellshock the same CVSS as this vulnerability, which requires a user in xterm to see a bunch of international UTF-8 characters and select them precisely enough to make a memory corruption exploit encoded in those characters run --- and do that without any feedback from the target, because what you're interacting with here is xterm, not a network service you can talk directly to, or a Javascript runtime.
I do not agree to disagree. The CVSS here is simply wrong.
