Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline

Obsidian Security Vulnerabilities

cve
cve

CVE-2023-2110

Improper path handling in Obsidian desktop before 1.2.8 on Windows, Linux and macOS allows a crafted webpage to access local files and exfiltrate them to remote web servers via "app://local/". This vulnerability can be exploited if a user opens a malicious markdown file in Obsidian, or copies text....

8.2CVSS

6.6AI Score

0.001EPSS

2023-08-19 06:15 AM
28
cve
cve

CVE-2023-33244

Obsidian before 1.2.2 allows calls to unintended APIs (for microphone access, camera access, and desktop notification) via an embedded web...

8.2CVSS

8.1AI Score

0.002EPSS

2023-05-20 07:15 PM
38
cve
cve

CVE-2023-27035

An issue discovered in Obsidian Canvas 1.1.9 allows remote attackers to send desktop notifications, record user audio and other unspecified impacts via embedded website on the canvas...

7.5CVSS

8AI Score

0.003EPSS

2023-05-01 10:15 PM
285
cve
cve

CVE-2023-24044

A Host Header Injection issue on the Login page of Plesk Obsidian through 18.0.49 allows attackers to redirect users to malicious websites via a Host request header. NOTE: the vendor's position is "the ability to use arbitrary domain names to access the panel is an intended...

6.1CVSS

6.3AI Score

0.002EPSS

2023-01-22 03:15 AM
34
cve
cve

CVE-2022-45130

Plesk Obsidian allows a CSRF attack, e.g., via the /api/v2/cli/commands REST API to change an Admin password. NOTE: Obsidian is a specific version of the Plesk product: version numbers were used through version 12, and then the convention was changed so that versions are identified by names...

6.5CVSS

6.4AI Score

0.001EPSS

2022-11-10 06:15 AM
27
9
cve
cve

CVE-2022-36450

Obsidian 0.14.x and 0.15.x before 0.15.5 allows obsidian://hook-get-address remote code execution because window.open is used without checking the...

9.8CVSS

9.7AI Score

0.007EPSS

2022-07-25 07:15 AM
777
6
cve
cve

CVE-2021-42057

Obsidian Dataview through 0.4.12-hotfix1 allows eval injection. The evalInContext function in executes user input, which allows an attacker to craft malicious Markdown files that will execute arbitrary code once opened. NOTE: 0.4.13 provides a mitigation for some use...

7.8CVSS

7.9AI Score

0.001EPSS

2021-11-04 09:15 PM
21
cve
cve

CVE-2021-35976

The feature to preview a website in Plesk Obsidian 18.0.0 through 18.0.32 on Linux is vulnerable to reflected XSS via the /plesk-site-preview/ PATH, aka PFSI-62467. The attacker could execute JavaScript code in the victim's browser by using the link to preview sites hosted on the server....

6.1CVSS

6AI Score

0.001EPSS

2021-09-10 12:15 PM
34
cve
cve

CVE-2021-38148

Obsidian before 0.12.12 does not require user confirmation for non-http/https...

9.8CVSS

9.5AI Score

0.002EPSS

2021-08-07 03:15 AM
743
6
cve
cve

CVE-2020-11583

A GET-based XSS reflected vulnerability in Plesk Obsidian 18.0.17 allows remote unauthenticated users to inject arbitrary JavaScript, HTML, or CSS via a GET...

6.1CVSS

6AI Score

0.002EPSS

2020-08-03 09:15 PM
53