Описание
Obsidian Dataview through 0.4.12-hotfix1 allows eval injection. The evalInContext function in executes user input, which allows an attacker to craft malicious Markdown files that will execute arbitrary code once opened. NOTE: 0.4.13 provides a mitigation for some use cases.
Ссылки
- ExploitIssue TrackingThird Party Advisory
- ExploitIssue TrackingThird Party Advisory
Уязвимые конфигурации
Конфигурация 1Версия до 0.4.11 (включая)
Одно из
cpe:2.3:a:obsidian:obsidian_dataview:*:*:*:*:*:*:*:*
cpe:2.3:a:obsidian:obsidian_dataview:0.4.12:-:*:*:*:*:*:*
cpe:2.3:a:obsidian:obsidian_dataview:0.4.12:hotfix1:*:*:*:*:*:*
EPSS
Процентиль: 52%
0.00295
Низкий
7.8 High
CVSS3
9.3 Critical
CVSS2
Дефекты
CWE-94
Связанные уязвимости
CVSS3: 7.8
github
больше 3 лет назад
Obsidian Dataview vulnerable to code injection due to unsafe eval
EPSS
Процентиль: 52%
0.00295
Низкий
7.8 High
CVSS3
9.3 Critical
CVSS2
Дефекты
CWE-94