Typora WSH JScript code injection
CVE-2023-1003

7.8HIGH

Key Information:

Vendor

Typora

Status
Typora
Vendor
CVE Published:
7 March 2023

What is CVE-2023-1003?

A code injection vulnerability has been identified in Typora versions up to 1.5.5 on Windows. This vulnerability affects the WSH JScript Handler, allowing attackers to manipulate the system. The exploitation of this vulnerability requires local access, making it particularly concerning for users with shared environments. An upgrade to version 1.5.8 is crucial to mitigate this risk and secure the application against potential exploits that have already been disclosed publicly.

Affected Version(s)

Typora 1.5.0

Typora 1.5.1

Typora 1.5.2

References

https://vuldb.com/?id.221736
vdb-entrytechnical-description
https://vuldb.com/?ctiid.221736
signaturepermissions-required
https://github.com/typora/typora-issues/issues/5623
exploitissue-tracking

CVSS V3.1

Score:
7.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Local
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Tom23 (VulDB User)
JSON
.