CVE Vulnerability

CVE-2019-20374

A mutation cross-site scripting (XSS) issue in Typora through 0.9.9.31.2 on macOS and through 0.9.81 on Linux leads to Remote Code Execution through Mermaid code blocks. To exploit this vulnerability, one must open a file in Typora. The XSS vulnerability is then triggered due to improper HTML sanitization. Given that the application is based on the Electron framework, the XSS leads to remote code execution in an unsandboxed environment.

6.8 /10

CVSS v2.0 :

V3 Legend

Vector :

Exploitability : 8.6 / Impact : 6.4

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

Scope

9.6 /10

CVSS v3.0 : CRITICAL

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope CHANGED

References
Link Resource
https://github.com/cure53/DOMPurify/commit/4e8af7b2c4a159b683d317e02c5cbddb86dc4a0e Patch Third Party Advisory
https://github.com/typora/typora-issues/issues/3124 Third Party Advisory
Configurations

Configuration 1
Information

Published : 2020-01-09 11:15

Updated : 2021-09-08 05:22

NVD link : CVE-2019-20374

Mitre link : CVE-2019-20374

Products Affected

Apple

Macos

Typora

CWE
CWE-79