CVE-2022-25224
Last modified
CVE-2022-25224 is a medium-severity vulnerability rated 5.4/10 on the CVSS scale. Proton v0.2.0 allows an attacker to create a malicious link inside a markdown file. When the victim clicks the link, the application opens the site in the current frame allowing an attacker to host JavaScript code in the malicious link in order to trigger an XSS attack. EPSS estimates a 0.65% chance of exploitation in the next 30 days.
Description
Proton v0.2.0 allows an attacker to create a malicious link inside a markdown file. When the victim clicks the link, the application opens the site in the current frame allowing an attacker to host JavaScript code in the malicious link in order to trigger an XSS attack. The 'nodeIntegration' configuration is set to on which allows the 'webpage' to use 'NodeJs' features, an attacker can leverage this to run OS commands.
Metrics
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Proton Project | Proton | 0.2.0 |
References
- https://fluidattacks.com/advisories/lennon/Exploit, Third Party Advisory
- https://fluidattacks.com/advisories/lennon/Exploit, Third Party Advisory
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2022-25224?
How severe is CVE-2022-25224?
How do I fix CVE-2022-25224?
Are you affected by CVE-2022-25224?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST