Search criteria
ⓘ
Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.
1 vulnerability by proton_project
CVE-2022-25224 (GCVE-0-2022-25224)
Vulnerability from cvelistv5 – Published: 2022-05-20 11:04 – Updated: 2024-08-03 04:36
VLAI?
Summary
Proton v0.2.0 allows an attacker to create a malicious link inside a markdown file. When the victim clicks the link, the application opens the site in the current frame allowing an attacker to host JavaScript code in the malicious link in order to trigger an XSS attack. The 'nodeIntegration' configuration is set to on which allows the 'webpage' to use 'NodeJs' features, an attacker can leverage this to run OS commands.
Severity ?
No CVSS data available.
CWE
- XSS to RCE
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T04:36:06.522Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://fluidattacks.com/advisories/lennon/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Proton",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "0.2.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Proton v0.2.0 allows an attacker to create a malicious link inside a markdown file. When the victim clicks the link, the application opens the site in the current frame allowing an attacker to host JavaScript code in the malicious link in order to trigger an XSS attack. The \u0027nodeIntegration\u0027 configuration is set to on which allows the \u0027webpage\u0027 to use \u0027NodeJs\u0027 features, an attacker can leverage this to run OS commands."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "XSS to RCE",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-05-20T11:04:12.000Z",
"orgId": "84fe0718-d6bb-4716-a7e8-81a6d1daa869",
"shortName": "Fluid Attacks"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://fluidattacks.com/advisories/lennon/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "help@fluidattacks.com",
"ID": "CVE-2022-25224",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Proton",
"version": {
"version_data": [
{
"version_value": "0.2.0"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Proton v0.2.0 allows an attacker to create a malicious link inside a markdown file. When the victim clicks the link, the application opens the site in the current frame allowing an attacker to host JavaScript code in the malicious link in order to trigger an XSS attack. The \u0027nodeIntegration\u0027 configuration is set to on which allows the \u0027webpage\u0027 to use \u0027NodeJs\u0027 features, an attacker can leverage this to run OS commands."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "XSS to RCE"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://fluidattacks.com/advisories/lennon/",
"refsource": "MISC",
"url": "https://fluidattacks.com/advisories/lennon/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "84fe0718-d6bb-4716-a7e8-81a6d1daa869",
"assignerShortName": "Fluid Attacks",
"cveId": "CVE-2022-25224",
"datePublished": "2022-05-20T11:04:12.000Z",
"dateReserved": "2022-02-15T00:00:00.000Z",
"dateUpdated": "2024-08-03T04:36:06.522Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}