Last active
January 7, 2023 14:48
-
-
Save wangking1/61bdd1967367301a950ffbb3d10386f3 to your computer and use it in GitHub Desktop.
The storage XSS in Typora causes arbitrary code execution
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Cross Site Scripting (XSS) vulnerability in typora through 1.38 allows remote attackers to run arbitrary code via export from editor. | |
| A< Svg onload = "alert (/ XSS /)" > (any text must be added before the payload, otherwise the payload cannot be triggered), or a< Select onfocus = alert (1) autofocus > and so on Insert the text, transmit it to the victim, and guide the victim to send the XXX MD printing, or exporting the text format to PDF format or image conversion format, can trigger the XSS vulnerability Insert the text, transmit it to the victim, and guide the victim to send the XXX MD printing, or exporting the text format to PDF format or image conversion format, can trigger the XSS vulnerability |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment