and, without escaping any interior HTML tags. Thus, an attacker can create a note that closes the opening
tag, then includes HTML that runs JavaScript. Because the rendered markdown iframe has the same origin as the toplevel document and is not sandboxed, any scripts running in the preview iframe can access the top variable and, thus, access the toplevel NodeJS `require` function. `require` can then be used to import modules like fs or child_process and run arbitrary commands. This issue has been addressed in version 2.12.9 and all users are advised to upgrade. There are no known workarounds for this vulnerability.
Metrics
CVSS Version: 3.1 | Base Score: 8.2 HIGH
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:L
l➤ Exploitability Metrics:
Attack Vector (AV)* NETWORK
Attack Complexity (AC)* LOW
Privileges Required (PR)* LOW
User Interaction (UI)* REQUIRED
Scope (S)* CHANGED
l➤ Impact Metrics:
Confidentiality Impact (C)* HIGH
Integrity Impact (I)* LOW
Availability Impact (A)* LOW
Weakness Enumeration (CWE)
CWE-ID: CWE-79
CWE Name: CWE-79: Improper Neutralization of Input During Web Page Generation ( Cross-site Scripting )
Source: laurent22
Common Attack Pattern Enumeration and Classification (CAPEC)
CAPEC-ID:
CAPEC Description:
▸ CVE-2024-9999 ◂ Discovered: 12/11/2024 Status: PUBLISHED |
▸ CVE-2024-9997 ◂ Discovered: 29/10/2024 Status: PUBLISHED |
▸ CVE-2024-9996 ◂ Discovered: 29/10/2024 Status: PUBLISHED |
Tags:
CVE-2023-37898 Vulnerability Details