Search

Find a vulnerability

Search criteria

    2 vulnerabilities by proton_project

    CVE-2022-25224 (GCVE-0-2022-25224)

    Vulnerability from nvd – Published: 2022-05-20 11:04 – Updated: 2024-08-03 04:36
    VLAI
    Summary
    Proton v0.2.0 allows an attacker to create a malicious link inside a markdown file. When the victim clicks the link, the application opens the site in the current frame allowing an attacker to host JavaScript code in the malicious link in order to trigger an XSS attack. The 'nodeIntegration' configuration is set to on which allows the 'webpage' to use 'NodeJs' features, an attacker can leverage this to run OS commands.
    Severity
    No CVSS data available.
    CWE
    • XSS to RCE
    Assigner
    References
    Impacted products
    Vendor Product Version
    n/a Proton Affected: 0.2.0
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T04:36:06.522Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://fluidattacks.com/advisories/lennon/"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Proton",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "0.2.0"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Proton v0.2.0 allows an attacker to create a malicious link inside a markdown file. When the victim clicks the link, the application opens the site in the current frame allowing an attacker to host JavaScript code in the malicious link in order to trigger an XSS attack. The \u0027nodeIntegration\u0027 configuration is set to on which allows the \u0027webpage\u0027 to use \u0027NodeJs\u0027 features, an attacker can leverage this to run OS commands."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "XSS to RCE",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-05-20T11:04:12.000Z",
            "orgId": "84fe0718-d6bb-4716-a7e8-81a6d1daa869",
            "shortName": "Fluid Attacks"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://fluidattacks.com/advisories/lennon/"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "help@fluidattacks.com",
              "ID": "CVE-2022-25224",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Proton",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "0.2.0"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "n/a"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Proton v0.2.0 allows an attacker to create a malicious link inside a markdown file. When the victim clicks the link, the application opens the site in the current frame allowing an attacker to host JavaScript code in the malicious link in order to trigger an XSS attack. The \u0027nodeIntegration\u0027 configuration is set to on which allows the \u0027webpage\u0027 to use \u0027NodeJs\u0027 features, an attacker can leverage this to run OS commands."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "XSS to RCE"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://fluidattacks.com/advisories/lennon/",
                  "refsource": "MISC",
                  "url": "https://fluidattacks.com/advisories/lennon/"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "84fe0718-d6bb-4716-a7e8-81a6d1daa869",
        "assignerShortName": "Fluid Attacks",
        "cveId": "CVE-2022-25224",
        "datePublished": "2022-05-20T11:04:12.000Z",
        "dateReserved": "2022-02-15T00:00:00.000Z",
        "dateUpdated": "2024-08-03T04:36:06.522Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2022-25224 (GCVE-0-2022-25224)

    Vulnerability from cvelistv5 – Published: 2022-05-20 11:04 – Updated: 2024-08-03 04:36
    VLAI
    Summary
    Proton v0.2.0 allows an attacker to create a malicious link inside a markdown file. When the victim clicks the link, the application opens the site in the current frame allowing an attacker to host JavaScript code in the malicious link in order to trigger an XSS attack. The 'nodeIntegration' configuration is set to on which allows the 'webpage' to use 'NodeJs' features, an attacker can leverage this to run OS commands.
    Severity
    No CVSS data available.
    CWE
    • XSS to RCE
    Assigner
    References
    Impacted products
    Vendor Product Version
    n/a Proton Affected: 0.2.0
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T04:36:06.522Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://fluidattacks.com/advisories/lennon/"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Proton",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "0.2.0"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Proton v0.2.0 allows an attacker to create a malicious link inside a markdown file. When the victim clicks the link, the application opens the site in the current frame allowing an attacker to host JavaScript code in the malicious link in order to trigger an XSS attack. The \u0027nodeIntegration\u0027 configuration is set to on which allows the \u0027webpage\u0027 to use \u0027NodeJs\u0027 features, an attacker can leverage this to run OS commands."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "XSS to RCE",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-05-20T11:04:12.000Z",
            "orgId": "84fe0718-d6bb-4716-a7e8-81a6d1daa869",
            "shortName": "Fluid Attacks"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://fluidattacks.com/advisories/lennon/"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "help@fluidattacks.com",
              "ID": "CVE-2022-25224",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Proton",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "0.2.0"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "n/a"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Proton v0.2.0 allows an attacker to create a malicious link inside a markdown file. When the victim clicks the link, the application opens the site in the current frame allowing an attacker to host JavaScript code in the malicious link in order to trigger an XSS attack. The \u0027nodeIntegration\u0027 configuration is set to on which allows the \u0027webpage\u0027 to use \u0027NodeJs\u0027 features, an attacker can leverage this to run OS commands."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "XSS to RCE"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://fluidattacks.com/advisories/lennon/",
                  "refsource": "MISC",
                  "url": "https://fluidattacks.com/advisories/lennon/"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "84fe0718-d6bb-4716-a7e8-81a6d1daa869",
        "assignerShortName": "Fluid Attacks",
        "cveId": "CVE-2022-25224",
        "datePublished": "2022-05-20T11:04:12.000Z",
        "dateReserved": "2022-02-15T00:00:00.000Z",
        "dateUpdated": "2024-08-03T04:36:06.522Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }