CVE-2022-21158 in MarkText
Summary
by MITRE • 03/10/2022
A stored cross-site scripting vulnerability in marktext versions prior to v0.17.0 due to improper handling of the link (with javascript: scheme) inside the document may allow an attacker to execute an arbitrary script on the PC of the user using marktext.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 03/14/2022
This vulnerability represents a critical stored cross-site scripting flaw in marktext versions before v0.17.0 that stems from inadequate input validation and sanitization of hyperlink references within document content. The issue specifically manifests when documents contain links using the javascript: scheme, which should be strictly prohibited in markdown editors to prevent malicious script execution. The vulnerability classifies under CWE-79 as a failure to sanitize user-provided data, allowing attackers to inject malicious javascript code that persists within the document storage. When unsuspecting users open these compromised documents, the embedded javascript executes within the application context, potentially enabling attackers to perform arbitrary actions on the victim's system. The attack vector requires social engineering to convince users to open maliciously crafted documents containing the javascript payload, making this a significant threat in environments where users frequently exchange markdown documents. This vulnerability directly maps to attack techniques in the ATT&CK framework under T1203 as an execution through malicious document files, and T1566 as a social engineering approach. The flaw exists because marktext fails to properly validate or sanitize hyperlink attributes during document parsing, specifically allowing javascript: URIs to be processed without proper escaping or removal. The impact extends beyond simple script execution as the application context provides access to local file system operations and potentially network communications through the application's permissions. Users who regularly work with markdown documents from untrusted sources face significant risk, as the vulnerability can be exploited through document sharing in collaborative environments, version control systems, or file transfer protocols. The security implications are particularly severe given that marktext operates with elevated privileges when processing local files, potentially allowing attackers to access sensitive data or perform unauthorized system operations. Organizations relying on marktext for documentation or content creation must consider this vulnerability as a potential entry point for more sophisticated attacks, especially in environments where document collaboration is common. The remediation requires updating to version 0.17.0 or later, which implements proper input validation and sanitization of hyperlink references, specifically blocking javascript: URIs and other dangerous schemes. Additionally, administrators should implement strict document validation policies and educate users about the risks of opening documents from untrusted sources, as the vulnerability can be exploited through various document formats that marktext supports. The fix addresses the root cause by implementing a comprehensive whitelist approach for URI schemes, ensuring only safe protocols like http, https, and ftp are allowed while blocking potentially malicious schemes that could lead to script execution.