CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 1CVE-2020-18336
https://notcve.org/view.php?id=CVE-2020-18336
10 Oct 2023 — Cross Site Scripting (XSS) vulnerability found in Typora v.0.9.65 allows a remote attacker to obtain sensitive information via the PDF file exporting function. La vulnerabilidad de Cross Site Scripting (XSS) encontrada en Typora v.0.9.65 permite a un atacante remoto obtener información confidencial a través de la función de exportación de archivos PDF. • https://github.com/typora/typora-issues/issues/2232 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 1CVE-2023-39703
https://notcve.org/view.php?id=CVE-2023-39703
01 Sep 2023 — A cross site scripting (XSS) vulnerability in the Markdown Editor component of Typora v1.6.7 allows attackers to execute arbitrary code via uploading a crafted Markdown file. Una vulnerabilidad de tipo Cross Site Scripting (XSS) en un componente del Editor de Markdown en Typora versión v1.6.7 permite a atacantes ejecutar código arbitrario cargando un archivo manipulado de Markdown. • https://c0olw.github.io/2023/07/31/Typora-XSS-Vulnerability • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.8EPSS: 0%CPEs: 3EXPL: 1CVE-2023-2971 – Typora Local File Disclosure
https://notcve.org/view.php?id=CVE-2023-2971
19 Aug 2023 — Improper path handling in Typora before 1.7.0-dev on Windows and Linux allows a crafted webpage to access local files and exfiltrate them to remote web servers via "typora://app/typemark/". This vulnerability can be exploited if a user opens a malicious markdown file in Typora, or copies text from a malicious webpage and paste it into Typora. El manejo inadecuado de rutas en Typora antes de 1.7.0-dev en Windows y Linux permite que una página web manipulada acceda a archivos locales y los exfiltre a servidor... • https://starlabs.sg/advisories/23/23-2971 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 10.0EPSS: 0%CPEs: 3EXPL: 1CVE-2023-2317 – Typora DOM-Based Cross-site Scripting leading to Remote Code Execution
https://notcve.org/view.php?id=CVE-2023-2317
19 Aug 2023 — DOM-based XSS in updater/update.html in Typora before 1.6.7 on Windows and Linux allows a crafted markdown file to run arbitrary JavaScript code in the context of Typora main window via loading typora://app/typemark/updater/update.html in <embed> tag. This vulnerability can be exploited if a user opens a malicious markdown file in Typora, or copies text from a malicious webpage and paste it into Typora. • https://starlabs.sg/advisories/23/23-2317 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.8EPSS: 0%CPEs: 3EXPL: 1CVE-2023-2316 – Typora Local File Disclosure
https://notcve.org/view.php?id=CVE-2023-2316
19 Aug 2023 — Improper path handling in Typora before 1.6.7 on Windows and Linux allows a crafted webpage to access local files and exfiltrate them to remote web servers via "typora://app/<absolute-path>". This vulnerability can be exploited if a user opens a malicious markdown file in Typora, or copies text from a malicious webpage and paste it into Typora. • https://starlabs.sg/advisories/23/23-2316 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 1CVE-2020-21058
https://notcve.org/view.php?id=CVE-2020-21058
20 Jun 2023 — Cross Site Scripting vulnerability in Typora v.0.9.79 allows a remote attacker to execute arbitrary code via the mermaid sytax. • https://github.com/typora/typora-issues/issues/2959 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.8EPSS: 0%CPEs: 2EXPL: 1CVE-2023-1003 – Typora WSH JScript code injection
https://notcve.org/view.php?id=CVE-2023-1003
24 Feb 2023 — A vulnerability, which was classified as critical, was found in Typora up to 1.5.5 on Windows. Affected is an unknown function of the component WSH JScript Handler. The manipulation leads to code injection. An attack has to be approached locally. The exploit has been disclosed to the public and may be used. • https://github.com/typora/typora-issues/issues/5623 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2022-40011
https://notcve.org/view.php?id=CVE-2022-40011
23 Dec 2022 — Cross Site Scripting (XSS) vulnerability in typora through 1.38 allows remote attackers to run arbitrary code via export from editor. Vulnerabilidad de Cross Site Scripting (XSS) en typora hasta 1.38 permite a atacantes remotos ejecutar código arbitrario mediante exportación desde el editor. • http://typora.com • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2022-43668
https://notcve.org/view.php?id=CVE-2022-43668
07 Dec 2022 — Typora versions prior to 1.4.4 fails to properly neutralize JavaScript code, which may result in executing JavaScript code contained in the file when opening a file with the affected product. Las versiones de Typora anteriores a la 1.4.4 no neutralizan adecuadamente el código JavaScript, lo que puede provocar la ejecución del código JavaScript contenido en el archivo al abrir un archivo con el producto afectado. • https://jvn.jp/en/jp/JVN26044739/index.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2020-18748
https://notcve.org/view.php?id=CVE-2020-18748
19 Aug 2021 — Cross Site Scripting (XSS) in Typora v0.9.65 allows attackers to execute arbitrary code via mathjax syntax due to a mathjax configuration error in the mathematical formula blocks. This is a different vulnerability from CVE-2020-18221. Una vulnerabilidad de tipo Cross Site Scripting (XSS) en Typora versión v0.9.65, permite a atacantes ejecutar código arbitrario por medio de la sintaxis de mathjax debido a un error de configuración de mathjax en los bloques de fórmulas matemáticas. Esta es una vulnerabilidad ... • https://github.com/typora • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •