Lucene search

MitreCVELIST:CVE-2019-20374

HistoryJan 09, 2020 - 10:40 p.m.

CVE-2019-20374

2020-01-0922:40:29

mitre

www.cve.org

8.3 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H

8.9 High

AI Score

Confidence

High

0.005 Low

EPSS

Percentile

75.5%

JSON

A mutation cross-site scripting (XSS) issue in Typora through 0.9.9.31.2 on macOS and through 0.9.81 on Linux leads to Remote Code Execution through Mermaid code blocks. To exploit this vulnerability, one must open a file in Typora. The XSS vulnerability is then triggered due to improper HTML sanitization. Given that the application is based on the Electron framework, the XSS leads to remote code execution in an unsandboxed environment.

References

github.com/cure53/DOMPurify/commit/4e8af7b2c4a159b683d317e02c5cbddb86dc4a0e

github.com/typora/typora-issues/issues/3124

8.3 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H

8.9 High

AI Score

Confidence

High

0.005 Low

EPSS

Percentile

75.5%

JSON

Related for CVELIST:CVE-2019-20374