markdown-pdf 11.0.0 - Local File Read via Server Side XSS
7,5
High
Discovered by
Offensive Team, Fluid Attacks
Summary
Full name
markdown-pdf 11.0.0 - Local File Read
Code name
State
Public
Release date
10 abr 2023
Affected product
markdown-pdf
Affected version(s)
Version 11.0.0
Vulnerability name
Server Side XSS
Vulnerability type
Remotely exploitable
Yes
CVSS v3.1 vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CVSS v3.1 base score
7.5
Exploit available
Yes
CVE ID(s)
Description
markdown-pdf version 11.0.0 allows an external attacker to remotely obtain arbitrary local files. This is possible because the application does not validate the Markdown content entered by the user.
Vulnerability
This vulnerability occurs because the application does not validate that the Markdown content entered by the user is not malicious.
Exploitation
To exploit this vulnerability, we only need to send the following malicious Markdown to markdown-pdf:
Exploit.md
Thus, when markdown-pdf parses the malicious Markdown, it will return the local file specified in the generated PDF.
Our security policy
We have reserved the ID CVE-2023-0835 to refer to this issue from now on. Disclosure policy
System Information
Version: electron-pdf 11.0.0
Operating System: GNU/Linux
Mitigation
There is currently no patch available for this vulnerability.
References
Vendor page https://www.npmjs.com/package/markdown-pdf/
Timeline
IA generativa
20 feb 2023
Vendor contacted
20 feb 2023
Vendor replied
20 feb 2023
Public disclosure
10 abr 2023
