CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2024-41481
https://notcve.org/view.php?id=CVE-2024-41481
08 Aug 2024 — Typora before 1.9.3 Markdown editor has a cross-site scripting (XSS) vulnerability via the Mermaid component. • https://support.typora.io/What%27s-New-1.9 •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2024-41482
https://notcve.org/view.php?id=CVE-2024-41482
08 Aug 2024 — Typora before 1.9.3 Markdown editor has a cross-site scripting (XSS) vulnerability via the MathJax component. • https://support.typora.io/What%27s-New-1.9 •
CVSS: 7.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-33300
https://notcve.org/view.php?id=CVE-2024-33300
01 May 2024 — Typora v1.0.0 through v1.7 version (below) Markdown editor has a cross-site scripting (XSS) vulnerability, which allows attackers to execute arbitrary code by uploading Markdown files. Typora v1.0.0 a la versión v1.7 (a continuación) El editor Markdown tiene una vulnerabilidad de Cross Site Scripting (XSS), que permite a los atacantes ejecutar código arbitrario cargando archivos Markdown. • https://github.com/whoisoo6/Stored-xss-vulnerability-exists-in-Typra • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 1CVE-2020-18336
https://notcve.org/view.php?id=CVE-2020-18336
10 Oct 2023 — Cross Site Scripting (XSS) vulnerability found in Typora v.0.9.65 allows a remote attacker to obtain sensitive information via the PDF file exporting function. La vulnerabilidad de Cross Site Scripting (XSS) encontrada en Typora v.0.9.65 permite a un atacante remoto obtener información confidencial a través de la función de exportación de archivos PDF. • https://github.com/typora/typora-issues/issues/2232 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 1CVE-2023-39703
https://notcve.org/view.php?id=CVE-2023-39703
01 Sep 2023 — A cross site scripting (XSS) vulnerability in the Markdown Editor component of Typora v1.6.7 allows attackers to execute arbitrary code via uploading a crafted Markdown file. Una vulnerabilidad de tipo Cross Site Scripting (XSS) en un componente del Editor de Markdown en Typora versión v1.6.7 permite a atacantes ejecutar código arbitrario cargando un archivo manipulado de Markdown. • https://c0olw.github.io/2023/07/31/Typora-XSS-Vulnerability • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.8EPSS: 0%CPEs: 3EXPL: 1CVE-2023-2971 – Typora Local File Disclosure
https://notcve.org/view.php?id=CVE-2023-2971
19 Aug 2023 — Improper path handling in Typora before 1.7.0-dev on Windows and Linux allows a crafted webpage to access local files and exfiltrate them to remote web servers via "typora://app/typemark/". This vulnerability can be exploited if a user opens a malicious markdown file in Typora, or copies text from a malicious webpage and paste it into Typora. El manejo inadecuado de rutas en Typora antes de 1.7.0-dev en Windows y Linux permite que una página web manipulada acceda a archivos locales y los exfiltre a servidor... • https://starlabs.sg/advisories/23/23-2971 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 10.0EPSS: 0%CPEs: 3EXPL: 1CVE-2023-2317 – Typora DOM-Based Cross-site Scripting leading to Remote Code Execution
https://notcve.org/view.php?id=CVE-2023-2317
19 Aug 2023 — DOM-based XSS in updater/update.html in Typora before 1.6.7 on Windows and Linux allows a crafted markdown file to run arbitrary JavaScript code in the context of Typora main window via loading typora://app/typemark/updater/update.html in <embed> tag. This vulnerability can be exploited if a user opens a malicious markdown file in Typora, or copies text from a malicious webpage and paste it into Typora. • https://starlabs.sg/advisories/23/23-2317 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.8EPSS: 0%CPEs: 3EXPL: 1CVE-2023-2316 – Typora Local File Disclosure
https://notcve.org/view.php?id=CVE-2023-2316
19 Aug 2023 — Improper path handling in Typora before 1.6.7 on Windows and Linux allows a crafted webpage to access local files and exfiltrate them to remote web servers via "typora://app/<absolute-path>". This vulnerability can be exploited if a user opens a malicious markdown file in Typora, or copies text from a malicious webpage and paste it into Typora. • https://starlabs.sg/advisories/23/23-2316 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 1CVE-2020-21058
https://notcve.org/view.php?id=CVE-2020-21058
20 Jun 2023 — Cross Site Scripting vulnerability in Typora v.0.9.79 allows a remote attacker to execute arbitrary code via the mermaid sytax. • https://github.com/typora/typora-issues/issues/2959 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.8EPSS: 0%CPEs: 2EXPL: 1CVE-2023-1003 – Typora WSH JScript code injection
https://notcve.org/view.php?id=CVE-2023-1003
24 Feb 2023 — A vulnerability, which was classified as critical, was found in Typora up to 1.5.5 on Windows. Affected is an unknown function of the component WSH JScript Handler. The manipulation leads to code injection. An attack has to be approached locally. The exploit has been disclosed to the public and may be used. • https://github.com/typora/typora-issues/issues/5623 • CWE-94: Improper Control of Generation of Code ('Code Injection') •