PT-2019-12685 · Boostnote · Boostnote

Published

2019-05-19

Updated

2019-05-20

CVE-2019-12184

CVSS v3.1

5.4

Medium

Vector

AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Name of the Vulnerable Software and Affected Versions Boostnote version 0.11.15

Description The issue is related to a XSS in the browser/components/MarkdownPreview.js component. It can be triggered via a label named flowchart, sequence, gallery, or chart. A crafted SRC attribute of an IFRAME element can be used to exploit this issue.

Recommendations For Boostnote version 0.11.15, consider disabling the Markdown preview feature until a patch is available. Restrict access to the MarkdownPreview.js component to minimize the risk of exploitation. Avoid using labels named flowchart, sequence, gallery, or chart in the affected component until the issue is resolved.

Exploit

Fix

XSS

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-79

Related Identifiers

CVE-2019-12184

Affected Products

Boostnote

PT-2019-12685 · Boostnote · Boostnote

CVE-2019-12184

Weakness Enumeration

Related Identifiers

Affected Products

References · 3