Typora DOM-Based Cross-site Scripting leading to Remote Code Execution
CVE-2023-2317

8.6HIGH

Key Information:

Vendor: Typora
Status: Typora
Vendor: CVE Published:; 19 August 2023

What is CVE-2023-2317?

Typora, a popular markdown editor, has a vulnerability that allows DOM-based Cross-Site Scripting (XSS) through the updater interface. On Windows and Linux systems, if a user opens a specially crafted markdown file or pastes text from a compromised webpage into Typora, arbitrary JavaScript code can be executed within the context of the Typora main window. This exploitation occurs via the loading of the updater page through the 'typora://app/typemark/updater/update.html' embedded tag, potentially leading to severe misuse of the application.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

Typora Windows 0 < 1.6.7

References

https://support.typora.io/What's-New-1.6/

release-notes

https://starlabs.sg/advisories/23/23-2317/

third-party-advisory

EPSS Score

49% chance of being exploited in the next 30 days.

CVSS V3.1

Score:

8.6

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
Aug 19, 2023
Vulnerability Reserved
Apr 27, 2023

Credit

Li Jiantao (@CurseRed) of STAR Labs SG Pte. Ltd. (@starlabs_sg)

JSON

Typora

What is CVE-2023-2317?

Human OS v1.0: Ageing Is an Unpatched Zero-Day Vulnerability.

Affected Version(s)

References

EPSS Score

CVSS V3.1

Timeline

Credit

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.