Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2023-2317

DOM-based XSS in updater/update.html in Typora before 1.6.7 on Windows and Linux allows a crafted markdown file to run arbitrary JavaScript code in the context of Typora main window via loading typora://app/typemark/updater/update.html in <embed> tag. This vulnerability can be exploited if a user opens a malicious markdown file in Typora, or copies text from a malicious webpage and paste it into Typora.

Published

2023-08-19T06:15:46.687

Last Modified

2024-11-21T07:58:22.570

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 8.6 (HIGH)

Weaknesses

Type: Secondary
CWE-79
Type: Primary
CWE-79

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	typora	typora	< 1.6.7	Yes
Operating System	linux	linux_kernel	-	No
Operating System	microsoft	windows	-	No

References

https://starlabs.sg/advisories/23/23-2317/ Exploit, Mitigation, Third Party Advisory ([email protected])
https://support.typora.io/What's-New-1.6/ Vendor Advisory ([email protected])
https://starlabs.sg/advisories/23/23-2317/ Exploit, Mitigation, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://support.typora.io/What's-New-1.6/ Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)