| Название | cronoh nanovault v1.2.1 Code Injection |
|---|
| Описание | We discovered a one-click remote code execution vulnerability in the latest version (v1.2.1) of the [NanoVault app](https://github.com/cronoh/nanovault). An attacker can exploit this vulnerability by embedding a specially crafted xrb: URL on any website, including a malicious one they control. When a victim visits such a site or clicks on the link, the browser triggers the app’s custom URL handler (`xrb:`), causing the NanoVault application to launch and process the URL, leading to remote code execution on the victim’s machine. |
|---|
| Источник | ⚠️ https://gist.github.com/jackfromeast/1e2e206813887a470e00b8474c616567 |
|---|
| Пользователь | Zhengyu Liu (UID 84541) |
|---|
| Представление | 20.07.2025 04:12 (11 месяцы назад) |
|---|
| Модерация | 04.08.2025 14:01 (15 days later) |
|---|
| Статус | принято |
|---|
| Запись VulDB | 318665 [cronoh NanoVault до 1.2.1 xrb URL /main.js executeJavaScript межсайтовый скриптинг] |
|---|
| Баллы | 20 |
|---|