Описание
Improper path handling in Typora before 1.6.7 on Windows and Linux allows a crafted webpage to access local files and exfiltrate them to remote web servers via "typora://app/".
This vulnerability can be exploited if a user opens a malicious markdown file in Typora, or copies text from a malicious webpage and paste it into Typora.
Ссылки
- ExploitMitigationThird Party Advisory
- Vendor Advisory
- ExploitMitigationThird Party Advisory
- Vendor Advisory
Уязвимые конфигурации
Конфигурация 1Версия до 1.6.7 (исключая)
Одновременно
cpe:2.3:a:typora:typora:*:*:*:*:*:*:*:*
Одно из
cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*
EPSS
Процентиль: 58%
0.00366
Низкий
7.4 High
CVSS3
Дефекты
CWE-22
CWE-22
Связанные уязвимости
CVSS3: 7.4
github
больше 2 лет назад
Improper path handling in Typora before 1.6.7 on Windows and Linux allows a crafted webpage to access local files and exfiltrate them to remote web servers via "typora://app/<absolute-path>". This vulnerability can be exploited if a user opens a malicious markdown file in Typora, or copies text from a malicious webpage and paste it into Typora.
EPSS
Процентиль: 58%
0.00366
Низкий
7.4 High
CVSS3
Дефекты
CWE-22
CWE-22