Cross-site Scripting in vmd

Description

vmd through 1.34.0 allows div class="markdown-body" XSS, as demonstrated by Electron remote code execution via require('child_process').execSync('calc.exe') on Windows and a similar attack on macOS.

Recommendation

No fix is available yet. Followings are affected versions:

• <= 1.34.0

References

• GHSA-pfr3-87q3-65rc
• www.npmjs.com
• CVE-2021-33041
• CWE-79
• CAPEC-310
• OWASP 2021-A3
• OWASP 2021-A6

Related Issues

• Options structure open to Cross-site Scripting if passed unfiltered - CVE-2021-29489
• Cross-site scripting in react-bootstrap-table - CVE-2021-23398
• Cross-site Scripting in curly-bracket-parser - CVE-2021-23416
• Cross-site Scripting in file-upload-with-preview - CVE-2021-23439

Tags:

npm

vmd