CVE-2019-20374

Published January 9th, 2020

View on NVD ↗

CVSS v3

9.6

CRITICAL

CVSS v2

6.8

MEDIUM

Affected

PROJECTS

Description

A mutation cross-site scripting (XSS) issue in Typora through 0.9.9.31.2 on macOS and through 0.9.81 on Linux leads to Remote Code Execution through Mermaid code blocks. To exploit this vulnerability, one must open a file in Typora. The XSS vulnerability is then triggered due to improper HTML sanitization. Given that the application is based on the Electron framework, the XSS leads to remote code execution in an unsandboxed environment.

cure53/DOMPurify

DOMPurify - a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG. DOMPurify works with a secure default, but offers a lot of configurability and hooks. Demo:

GitHub

17.1K

typora/typora-issues

Bugs, suggestions or free discussions about the minimal markdown editor — Typora

GitHub

1.58K