Zettlr 2.3.0 - Local File Read
|Name||Zettlr 2.3.0 - Local File Read|
|Affected versions||Version 2.3.0|
|Kind||Insecure or unset HTTP headers - Content-Security-Policy|
|Rule||043. Insecure or unset HTTP headers - Content-Security-Policy|
|CVSSv3 Base Score||5.5|
Zettlr version 2.3.0 allows an external attacker to remotely obtain arbitrary local files on any client that attempts to view a malicious markdown file through Zettlr. This is possible because the application does not have a CSP policy (or at least not strict enough) and/or does not properly validate the contents of markdown files before rendering them.
This vulnerability occurs because the application does not have a CSP policy (or at least not strict enough) and/or does not properly validate the contents of markdown files before rendering them. Because of the above, an attacker can embed malicious JS code in a markdown file and send it to the victim to view and thus achieve an exfiltration of their local files.
More about this functionality here: https://docs.zettlr.com/en/core/print-preview/
To exploit this vulnerability, you must send the following file to a
user to open with Zettlr. The exploit is triggered when the user
CTRL+P or simply clicks
<script>fetch("file:///etc/private").then(response => response.text()).then(leak => alert(leak))</script>
Evidence of exploitation
Our security policy
We have reserved the CVE-2022-40276 to refer to this issue from now on.
Version: Zettlr 2.3.0
Operating System: GNU/Linux
There is currently no patch available for this vulnerability.
The vulnerability was discovered by Carlos Bello from Fluid Attacks' Offensive Team.
Vendor page https://github.com/Zettlr/Zettlr