| 제목 | cronoh nanovault v1.2.1 Code Injection |
|---|
| 설명 | We discovered a one-click remote code execution vulnerability in the latest version (v1.2.1) of the [NanoVault app](https://github.com/cronoh/nanovault). An attacker can exploit this vulnerability by embedding a specially crafted xrb: URL on any website, including a malicious one they control. When a victim visits such a site or clicks on the link, the browser triggers the app’s custom URL handler (`xrb:`), causing the NanoVault application to launch and process the URL, leading to remote code execution on the victim’s machine. |
|---|
| 원천 | ⚠️ https://gist.github.com/jackfromeast/1e2e206813887a470e00b8474c616567 |
|---|
| 사용자 | Zhengyu Liu (UID 84541) |
|---|
| 제출 | 2025. 07. 20. AM 04:12 (11 개월 ago) |
|---|
| 모더레이션 | 2025. 08. 04. PM 02:01 (15 days later) |
|---|
| 상태 | 수락 |
|---|
| VulDB 항목 | 318665 [cronoh NanoVault 까지 1.2.1 xrb URL /main.js executeJavaScript 크로스 사이트 스크립팅] |
|---|
| 포인트들 | 20 |
|---|