CVSS: 8.2EPSS: 0%CPEs: 4EXPL: 1CVE-2023-2110 – Obsidian Local File Disclosure
https://notcve.org/view.php?id=CVE-2023-2110
19 Aug 2023 — Improper path handling in Obsidian desktop before 1.2.8 on Windows, Linux and macOS allows a crafted webpage to access local files and exfiltrate them to remote web servers via "app://local/<absolute-path>". This vulnerability can be exploited if a user opens a malicious markdown file in Obsidian, or copies text from a malicious webpage and paste it into Obsidian. • https://obsidian.md/changelog/2023-05-03-desktop-v1.2.8 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 8.5EPSS: 0%CPEs: 1EXPL: 0CVE-2023-33244
https://notcve.org/view.php?id=CVE-2023-33244
20 May 2023 — Obsidian before 1.2.2 allows calls to unintended APIs (for microphone access, camera access, and desktop notification) via an embedded web page. • https://forum.obsidian.md/t/obsidian-release-v1-2-2-insider-build/57488 •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 2CVE-2023-27035
https://notcve.org/view.php?id=CVE-2023-27035
01 May 2023 — An issue discovered in Obsidian Canvas 1.1.9 allows remote attackers to send desktop notifications, record user audio and other unspecified impacts via embedded website on the canvas page. • https://github.com/fivex3/CVE-2023-27035 • CWE-276: Incorrect Default Permissions •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 1CVE-2022-36450
https://notcve.org/view.php?id=CVE-2022-36450
25 Jul 2022 — Obsidian 0.14.x and 0.15.x before 0.15.5 allows obsidian://hook-get-address remote code execution because window.open is used without checking the URL. Obsidian versiones 0.14.x y 0.15.x anteriores a 0.15.,5 permite la ejecución de código remota obsidian://hook-get-address porque es usado window.open sin comprobar la URL • https://forum.obsidian.md/t/possible-remote-code-execution-through-obsidian-uri-scheme/39743 • CWE-20: Improper Input Validation •
CVSS: 9.3EPSS: 0%CPEs: 3EXPL: 1CVE-2021-42057
https://notcve.org/view.php?id=CVE-2021-42057
04 Nov 2021 — Obsidian Dataview through 0.4.12-hotfix1 allows eval injection. The evalInContext function in executes user input, which allows an attacker to craft malicious Markdown files that will execute arbitrary code once opened. NOTE: 0.4.13 provides a mitigation for some use cases. Obsidian Dataview versiones hasta 0.4.12-hotfix1, permite una inyección de eval. La función evalInContext ejecuta la entrada del usuario, que permite a un atacante diseñar archivos Markdown maliciosos que ejecutarán código arbitrario una... • https://github.com/blacksmithgu/obsidian-dataview/issues/615 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2021-38148
https://notcve.org/view.php?id=CVE-2021-38148
07 Aug 2021 — Obsidian before 0.12.12 does not require user confirmation for non-http/https URLs. Obsidian versiones anteriores a 0.12.12, no requiere la confirmación del usuario para las URLs no http/https • https://forum.obsidian.md/t/obsidian-release-v0-12-12/21564 •