Dernières vulnérabilités du Samedi 19 Août 2023

Dernières vulnérabilités du Samedi 19 Août 2023
https://www.securitricks.com/content/images/size/w600/format/webp/2023/12/VULNERABILITIES-REPORTS-LOGO.png
{{titre}}

Dernière mise à jour efféctuée le 19/08/2023 à 23:58:03

(0) Vulnérabilité(s) CRITICAL [9.0, 10.0]

(6) Vulnérabilité(s) HIGH [7.0, 8.9]

Source : starlabs.sg

Vulnérabilité ID : CVE-2023-2317

Première publication le : 19-08-2023 06:15:46
Dernière modification le : 19-08-2023 06:15:46

Description :
DOM-based XSS in updater/update.html in Typora before 1.6.7 on Windows and Linux allows a crafted markdown file to run arbitrary JavaScript code in the context of Typora main window via loading typora://app/typemark/updater/update.html in <embed> tag. This vulnerability can be exploited if a user opens a malicious markdown file in Typora, or copies text from a malicious webpage and paste it into Typora.

CVE ID : CVE-2023-2317
Source : info@starlabs.sg
Score CVSS : 8.6

Références :
https://starlabs.sg/advisories/23/23-2317/ | source : info@starlabs.sg
https://support.typora.io/What's-New-1.6/ | source : info@starlabs.sg

Vulnérabilité : CWE-79


Vulnérabilité ID : CVE-2023-2318

Première publication le : 19-08-2023 06:15:46
Dernière modification le : 19-08-2023 06:15:46

Description :
DOM-based XSS in src/muya/lib/contentState/pasteCtrl.js in MarkText 0.17.1 and before on Windows, Linux and macOS allows arbitrary JavaScript code to run in the context of MarkText main window. This vulnerability can be exploited if a user copies text from a malicious webpage and paste it into MarkText.

CVE ID : CVE-2023-2318
Source : info@starlabs.sg
Score CVSS : 8.6

Références :
https://github.com/marktext/marktext/issues/3618 | source : info@starlabs.sg
https://starlabs.sg/advisories/23/23-2318/ | source : info@starlabs.sg

Vulnérabilité : CWE-79


Vulnérabilité ID : CVE-2023-2110

Première publication le : 19-08-2023 06:15:45
Dernière modification le : 19-08-2023 06:15:45

Description :
Improper path handling in Obsidian desktop before 1.2.8 on Windows, Linux and macOS allows a crafted webpage to access local files and exfiltrate them to remote web servers via "app://local/<absolute-path>". This vulnerability can be exploited if a user opens a malicious markdown file in Obsidian, or copies text from a malicious webpage and paste it into Obsidian.

CVE ID : CVE-2023-2110
Source : info@starlabs.sg
Score CVSS : 8.2

Références :
https://obsidian.md/changelog/2023-05-03-desktop-v1.2.8/ | source : info@starlabs.sg
https://starlabs.sg/advisories/23/23-2110/ | source : info@starlabs.sg

Vulnérabilité : CWE-22


Vulnérabilité ID : CVE-2023-2316

Première publication le : 19-08-2023 06:15:46
Dernière modification le : 19-08-2023 06:15:46

Description :
Improper path handling in Typora before 1.6.7 on Windows and Linux allows a crafted webpage to access local files and exfiltrate them to remote web servers via "typora://app/<absolute-path>". This vulnerability can be exploited if a user opens a malicious markdown file in Typora, or copies text from a malicious webpage and paste it into Typora.

CVE ID : CVE-2023-2316
Source : info@starlabs.sg
Score CVSS : 7.4

Références :
https://starlabs.sg/advisories/23/23-2316/ | source : info@starlabs.sg
https://support.typora.io/What's-New-1.6/ | source : info@starlabs.sg

Vulnérabilité : CWE-22


Source : huntr.dev

Vulnérabilité ID : CVE-2023-4432

Première publication le : 19-08-2023 01:15:09
Dernière modification le : 19-08-2023 01:15:09

Description :
Cross-site Scripting (XSS) - Reflected in GitHub repository cockpit-hq/cockpit prior to 2.6.4.

CVE ID : CVE-2023-4432
Source : security@huntr.dev
Score CVSS : 8.3

Références :
https://github.com/cockpit-hq/cockpit/commit/2a93d391fbd2dd9e730f65d43b29beb65903d195 | source : security@huntr.dev
https://huntr.dev/bounties/69684663-6822-41ff-aa05-afbdb8f5268f | source : security@huntr.dev

Vulnérabilité : CWE-79


Vulnérabilité ID : CVE-2023-4433

Première publication le : 19-08-2023 01:15:09
Dernière modification le : 19-08-2023 01:15:09

Description :
Cross-site Scripting (XSS) - Stored in GitHub repository cockpit-hq/cockpit prior to 2.6.4.

CVE ID : CVE-2023-4433
Source : security@huntr.dev
Score CVSS : 8.3

Références :
https://github.com/cockpit-hq/cockpit/commit/36d1d4d256cbbab028342ba10cc493e5c119172c | source : security@huntr.dev
https://huntr.dev/bounties/64f3253d-6852-4b9f-b870-85e896007b1a | source : security@huntr.dev

Vulnérabilité : CWE-79


(1) Vulnérabilité(s) MEDIUM [4.0, 6.9]

Source : starlabs.sg

Vulnérabilité ID : CVE-2023-2971

Première publication le : 19-08-2023 06:15:47
Dernière modification le : 19-08-2023 06:15:47

Description :
Improper path handling in Typora before 1.7.0-dev on Windows and Linux allows a crafted webpage to access local files and exfiltrate them to remote web servers via "typora://app/typemark/". This vulnerability can be exploited if a user opens a malicious markdown file in Typora, or copies text from a malicious webpage and paste it into Typora.

CVE ID : CVE-2023-2971
Source : info@starlabs.sg
Score CVSS : 6.3

Références :
https://starlabs.sg/advisories/23/23-2971/ | source : info@starlabs.sg

Vulnérabilité : CWE-22


(0) Vulnérabilité(s) LOW [0.1, 3.9]

(0) Vulnérabilité(s) NO SCORE [0.0, 0.0]

Ce site web utilise l'API de la NVD, mais n'est pas approuvé ou certifié par la NVD.

About the author
Julien B.

Securitricks

Up-to-Date Cybersecurity Insights & Malware Reports

Securitricks

Great! You’ve successfully signed up.

Welcome back! You've successfully signed in.

You've successfully subscribed to Securitricks.

Success! Check your email for magic link to sign-in.

Success! Your billing info has been updated.

Your billing was not updated.