| Titel | cronoh nanovault v1.2.1 Code Injection |
|---|
| Beschreibung | We discovered a one-click remote code execution vulnerability in the latest version (v1.2.1) of the [NanoVault app](https://github.com/cronoh/nanovault). An attacker can exploit this vulnerability by embedding a specially crafted xrb: URL on any website, including a malicious one they control. When a victim visits such a site or clicks on the link, the browser triggers the app’s custom URL handler (`xrb:`), causing the NanoVault application to launch and process the URL, leading to remote code execution on the victim’s machine. |
|---|
| Quelle | ⚠️ https://gist.github.com/jackfromeast/1e2e206813887a470e00b8474c616567 |
|---|
| Benutzer | Zhengyu Liu (UID 84541) |
|---|
| Einreichung | 20.07.2025 04:12 (vor 11 Monaten) |
|---|
| Moderieren | 04.08.2025 14:01 (15 days later) |
|---|
| Status | Akzeptiert |
|---|
| VulDB Eintrag | 318665 [cronoh NanoVault bis 1.2.1 xrb URL /main.js executeJavaScript Cross Site Scripting] |
|---|
| Punkte | 20 |
|---|