Markdownify 1.4.1 - Local File Read
|Name||Markdownify 1.4.1 - Local File Read|
|Affected versions||Version 1.4.1|
|Kind||Insecure or unset HTTP headers - Content-Security-Policy|
|Rule||043. Insecure or unset HTTP headers - Content-Security-Policy|
|CVSSv3 Base Score||5.5|
Markdownify version 1.4.1 allows an external attacker to remotely obtain arbitrary local files on any client that attempts to view a malicious markdown file through Markdownify. This is possible because the application does not have a CSP policy (or at least not strict enough) and/or does not properly validate the contents of markdown files before rendering them.
This vulnerability occurs because the application does not have a CSP policy (or at least not strict enough) and/or does not properly validate the contents of markdown files before rendering them. Because of the above, an attacker can embed malicious JS code in a markdown file and send it to the victim to view and thus achieve an exfiltration of their local files.
To exploit this vulnerability, you must send the following file to a user to open with Markdownify.
<img src="1" onerror='fetch("file:///etc/private").then(data => data.text()).then(leak => alert(leak));'/>
Evidence of exploitation
Our security policy
We have reserved the CVE-2022-41710 to refer to this issue from now on.
Version: Markdownify 1.4.1
Operating System: GNU/Linux
There is currently no patch available for this vulnerability.
The vulnerability was discovered by Carlos Bello from Fluid Attacks' Offensive Team.
Vendor replied acknowledging the report.