CVE-2019-20374
Last modified
CVE-2019-20374 is a critical-severity vulnerability rated 9.6/10 on the CVSS scale. A mutation cross-site scripting (XSS) issue in Typora through 0.9.9.31.2 on macOS and through 0.9.81 on Linux leads to Remote Code Execution through Mermaid code blocks. To exploit this vulnerability, one must open a file in Typora. EPSS estimates a 2.30% chance of exploitation in the next 30 days.
Description
A mutation cross-site scripting (XSS) issue in Typora through 0.9.9.31.2 on macOS and through 0.9.81 on Linux leads to Remote Code Execution through Mermaid code blocks. To exploit this vulnerability, one must open a file in Typora. The XSS vulnerability is then triggered due to improper HTML sanitization. Given that the application is based on the Electron framework, the XSS leads to remote code execution in an unsandboxed environment.
Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Typora | Typora | <= 0.9.81 |
| Typora | Typora | <= 0.9.9.31.2 |
References
- https://github.com/cure53/DOMPurify/commit/4e8af7b2c4a159b683d317e02c5cbddb86dc4a0ePatch, Third Party Advisory
- https://github.com/typora/typora-issues/issues/3124Third Party Advisory
- https://github.com/cure53/DOMPurify/commit/4e8af7b2c4a159b683d317e02c5cbddb86dc4a0ePatch, Third Party Advisory
- https://github.com/typora/typora-issues/issues/3124Third Party Advisory
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2019-20374?
How severe is CVE-2019-20374?
How do I fix CVE-2019-20374?
Are you affected by CVE-2019-20374?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST