Silviavali

**Name of the Vulnerable Software and Affected Versions** HexoEditor version 1.1.8 **Description** The issue allows for Cross Site Scripting (XSS) attacks. By inserting a common XSS payload into a markdown file and opening it with the app, the payload will execute several times. **Recommendations** For HexoEditor version 1.1.8, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: HexoEditor version 1.1.8-beta Description: The issue allows for XSS to code execution. Recommendations: For version 1.1.8-beta, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Joplin versions prior to 1.0.90 **Description** The issue is related to a Cross-site Scripting (XSS) vulnerability that can evolve into code execution due to enabled nodeIntegration for a particular BrowserWindow instance. The XSS was identified in the Note content field. This can result in executing unauthorized code within the rights in which the application is running. The attack appears to be exploitable via a victim synchronizing notes from cloud services or other note-keeping services that contain malicious code. **Recommendations** For Joplin versions prior to 1.0.90, update to version 1.0.90 or later to resolve the issue. As a temporary workaround, consider disabling the synchronization of notes from cloud services or other note-keeping services until the update is applied. Restrict access to the Note content field to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Medis versions 0.6.1 and earlier **Description** The issue allows for unauthorized code execution on the victim's machine, within the rights of the running application, due to a XSS vulnerability evolving into code execution. This is caused by enabled nodeIntegration for the renderer process vulnerability in the `Key name` parameter on new key creation. The attack can be exploited when the victim is synchronizing data from the redis server that contains malicious key value. **Recommendations** For Medis versions 0.6.1 and earlier, consider disabling the `nodeIntegration` for the renderer process as a temporary workaround until a patch is available. Restrict access to the `Key name` parameter on new key creation to minimize the risk of exploitation. Avoid synchronizing data from untrusted redis servers to prevent potential attacks.

**Name of the Vulnerable Software and Affected Versions** Shiba markdown live preview app version 1.1.0 **Description** The issue allows for XSS, leading to code execution due to enabled node integration. **Recommendations** For version 1.1.0, disable node integration to prevent code execution until a patch is available.