Maplesoft Maple Command Execution Vulnerability via Malicious Maplet Files

A code injection vulnerability has been identified in Maplesoft Maple, specifically in versions through and including 13, within the Maplet framework. This vulnerability allows embedded commands to be executed automatically upon opening a .maplet file, bypassing standard security restrictions that typically prevent code execution in regular Maple worksheets. As a result, attackers can create malicious .maplet files that execute arbitrary code without any user interaction. The issue arises because, unlike regular worksheets, Maplets can run code automatically, creating an opportunity for exploitation.

Impact

Exploitation of this vulnerability allows for arbitrary code execution on the user's machine, executed in the context of the user running Maple.

Reproduction

To reproduce this vulnerability, create a .maplet file that includes embedded commands designed to execute arbitrary code. When this file is opened in Maple versions through 13, the embedded commands will execute automatically, without any user interaction, thereby exploiting the vulnerability.