CVE-2019-20374

Published: Jan 9, 2020

Modified: Aug 5, 2024

PUBLISHED

CVSS v3.0

8.3

HIGH

Description

A mutation cross-site scripting (XSS) issue in Typora through 0.9.9.31.2 on macOS and through 0.9.81 on Linux leads to Remote Code Execution through Mermaid code blocks. To exploit this vulnerability, one must open a file in Typora. The XSS vulnerability is then triggered due to improper HTML sanitization. Given that the application is based on the Electron framework, the XSS leads to remote code execution in an unsandboxed environment.

Vendor	Product	Versions
n/a	n/a	affected `n/a`

CVSS v3.0 Details

CVSS v3.0 Vector

CVSS:3.0/AC:H/AV:N/A:H/C:H/I:H/PR:N/S:C/UI:R

Attack Complexity

High

Attack Vector

Network

Availability

High

Confidentiality

High

Integrity

High

Privileges Required

None

Scope

Changed

User Interaction

Required

References

https://github.com/typora/typora-issues/issues/3124

x_refsource_MISC

https://github.com/cure53/DOMPurify/commit/4e8af7b2c4a159b683d317e02c5cbddb86dc4a0e

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2019-20374

Description

Affected Products

CVSS v3.0 Details

References