Skip to content

Instantly share code, notes, and snippets.

@wangking1
Last active January 7, 2023 14:48
Show Gist options
  • Save wangking1/61bdd1967367301a950ffbb3d10386f3 to your computer and use it in GitHub Desktop.
Save wangking1/61bdd1967367301a950ffbb3d10386f3 to your computer and use it in GitHub Desktop.
The storage XSS in Typora causes arbitrary code execution
Cross Site Scripting (XSS) vulnerability in typora through 1.38 allows remote attackers to run arbitrary code via export from editor.
A< Svg onload = "alert (/ XSS /)" > (any text must be added before the payload, otherwise the payload cannot be triggered), or a< Select onfocus = alert (1) autofocus > and so on Insert the text, transmit it to the victim, and guide the victim to send the XXX MD printing, or exporting the text format to PDF format or image conversion format, can trigger the XSS vulnerability Insert the text, transmit it to the victim, and guide the victim to send the XXX MD printing, or exporting the text format to PDF format or image conversion format, can trigger the XSS vulnerability
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment