CVE Vulnerability

CVE-2022-41710

Markdownify version 1.4.1 allows an external attacker to remotely obtain arbitrary local files on any client that attempts to view a malicious markdown file through Markdownify. This is possible because the application does not have a CSP policy (or at least not strict enough) and/or does not properly validate the contents of markdown files before rendering them.

5.5 /10

CVSS v3.0 : MEDIUM

V3 Legend

Vector :

Exploitability : 1.8 / Impact : 3.6

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References
Link Resource
https://github.com/amitmerchant1990/electron-markdownify Product Third Party Advisory
https://fluidattacks.com/advisories/noisestorm/ Exploit Third Party Advisory
Configurations

Configuration 1

cpe:2.3:a:markdownify_project:markdownify:1.4.1:*:*:*:*:*:*:*
Information

Published : 2022-11-03 08:15

Updated : 2022-11-04 02:57

NVD link : CVE-2022-41710

Mitre link : CVE-2022-41710

Products Affected
No products.
CWE
CWE-552