-
Notifications
You must be signed in to change notification settings - Fork 56
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
XSS to RCE vulnerability report #42
Comments
This was fixed in v1.1.1. So I'm closing. Thank you for your report. |
Thanks for the info on the fix and the version.
Silvia
…On 30 November 2017 at 05:07, Linda_pp ***@***.***> wrote:
Closed #42 <#42>.
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
<#42 (comment)>, or mute the
thread
<https://github.com/notifications/unsubscribe-auth/ASTfilaqsFqKtYzKxmReITCUhvCqNTNxks5s7hwLgaJpZM4Qqhgz>
.
|
Hey,
Fix confirmed. Awesome job :)
e8a65b0
…On 6 December 2017 at 06:18, Jericho ***@***.***> wrote:
@rhysd <https://github.com/rhysd> Can you confirm e8a65b0
<e8a65b0>
is the fixing commit?
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
<#42 (comment)>, or mute
the thread
<https://github.com/notifications/unsubscribe-auth/ASTfihwxJE7qkmC2Uc8HFvNxKOsmo0Xcks5s9hWRgaJpZM4Qqhgz>
.
|
@attritionorg Yes. |
"XSS to code execution vulnerability due to enabled nodeIntegration"Date reported: 25th Nov, 2017 Shiba is rich live markdown preview app with linter. It provides functionality to open .md files, Reproduce the vulnerability: Attacker crafts the following file: payload.md, delivers it to the victim and victim opens it in Shiba: Possible scenario: You can be sure that payload got triggered when alert 1 appears on victim’s screen. By now attacker has received the contents of the /etc/passwd file as the result: |
Thank you for your report. I'll investigate this issue this weekend. |
Ah, I'm sorry that I misunderstood your comment. #42 (comment) is a disclosure of this problem and already fixed. |
Hello,
I would like to report a XSS vulnerability in your application that leads to code execution.
I have a working POC that I dont want to post publicly.
Please contact me at silviavali14@gmail.com
The text was updated successfully, but these errors were encountered: