Impact
A stored Cross-Site-Scripting (XSS) vulnerability is found in the markdown editor used by the document abstract and markdown file preview. A specifically crafted anchor link can, if clicked, execute untrusted javascript actions, like retrieving user cookies.
Patches
Version 0.33.1 include a patch that allow to discard unsafe links.
References
https://github.com/showdownjs/showdown/wiki/Markdown%27s-XSS-Vulnerability-%28and-how-to-mitigate-it%29
Credits
Thanks to Philipp Fortmann for reporting to us in a responsible manner
For more information
If you have any questions or comments about this advisory:
- Email us at security [at] oneofftech.xyz
Impact
A stored Cross-Site-Scripting (XSS) vulnerability is found in the markdown editor used by the document abstract and markdown file preview. A specifically crafted anchor link can, if clicked, execute untrusted javascript actions, like retrieving user cookies.
Patches
Version 0.33.1 include a patch that allow to discard unsafe links.
References
https://github.com/showdownjs/showdown/wiki/Markdown%27s-XSS-Vulnerability-%28and-how-to-mitigate-it%29
Credits
Thanks to Philipp Fortmann for reporting to us in a responsible manner
For more information
If you have any questions or comments about this advisory: