Vulnerabilities > CVE-2022-41710 - Files or Directories Accessible to External Parties vulnerability in Markdownify Project Markdownify 1.4.1

CVSS 5.5 - MEDIUM

Attack vector

LOCAL

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

HIGH

Integrity impact

NONE

Availability impact

NONE

local

low complexity

markdownify-project

CWE-552

NVD

Published: 2022-11-03

Updated: 2022-11-04

Summary

Markdownify version 1.4.1 allows an external attacker to remotely obtain arbitrary local files on any client that attempts to view a malicious markdown file through Markdownify. This is possible because the application does not have a CSP policy (or at least not strict enough) and/or does not properly validate the contents of markdown files before rendering them.

Vulnerable Configurations

Part	Description	Count
Application	Markdownify_Project Markdownify Project Markdownify 1.4.1	1

Common Weakness Enumeration (CWE)

CWE-552 - Files or Directories Accessible to External Parties

References

https://github.com/amitmerchant1990/electron-markdownify
https://fluidattacks.com/advisories/noisestorm/