CVE-2019-20374 HIGH

CVE-2019-20374

Vendor N/A
Product n/a
Published January 9, 2020
Last update August 5, 2024

CVSS base score

8.3/10
Attack vector Network
Attack complexity High
Privileges required None
User interaction Required
Confidentiality High
Integrity High

CVSS vector

CVSS:3.0/AC:H/AV:N/A:H/C:H/I:H/PR:N/S:C/UI:R

What the vulnerability does

01Description

A mutation cross-site scripting (XSS) issue in Typora through 0.9.9.31.2 on macOS and through 0.9.81 on Linux leads to Remote Code Execution through Mermaid code blocks. To exploit this vulnerability, one must open a file in Typora. The XSS vulnerability is then triggered due to improper HTML sanitization. Given that the application is based on the Electron framework, the XSS leads to remote code execution in an unsandboxed environment.

Key dates

02Disclosure timeline

January 9, 2020 CVE published
August 5, 2024 Record updated