| عنوان | lettura v0.1.22 XSS |
|---|
| الوصف | The description.content of media_object is directly concatenated into HTML and rendered via wraperWithRadix/HTMLReactParser without going through DOMPurify; controllable RSS content can be directly XSS'd to the main WebView, and the fact that CSP is off while Tauri allowlist is enabled with "fs" amplifies the impact. Attackers could exploit this vulnerability to launch an SSRF attack or read/write the contents of the Download folder. |
|---|
| المصدر | ⚠️ https://gist.github.com/youremailaddress/cba7c19a4eafcb326d0e912adf132be3 |
|---|
| المستخدم | cranb3rry (UID 72730) |
|---|
| ارسال | 27/12/2025 03:13 AM (4 أشهر منذ) |
|---|
| الاعتدال | 04/01/2026 09:57 AM (8 days later) |
|---|
| الحالة | تمت الموافقة |
|---|
| إدخال VulDB | 339487 [zhanglun lettura حتى 0.1.22 RSS ContentRender.tsx البرمجة عبر المواقع] |
|---|
| النقاط | 19 |
|---|