Mutation Cross-Site Scripting Vulnerability in Typora by Typora
CVE-2019-20374

8.3HIGH

Key Information:

Vendor

Typora

Status
Typora
Vendor
CVE Published:
9 January 2020

What is CVE-2019-20374?

A mutation cross-site scripting (XSS) vulnerability exists in Typora that could allow remote code execution. This flaw affects versions up to 0.9.9.31.2 on macOS and 0.9.81 on Linux. Users can inadvertently trigger the XSS when opening a specially crafted file, which exploits improper HTML sanitization within the application's Electron framework. As a result, an attacker can execute malicious code in an unsandboxed environment, posing significant risks to system integrity and data security.

References

https://github.com/typora/typora-issues/issues/3124
x_refsource_MISC
https://github.com/cure53/DOMPurify/commit/4e8af7b2c4a159...
x_refsource_MISC

CVSS V3.1

Score:
8.3
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.