CVE-2022-25224

Name of the Vulnerable Software and Affected Versions Proton version 0.2.0

Description The issue allows an attacker to create a malicious link inside a markdown file. When the victim clicks the link, the application opens the site in the current frame, allowing an attacker to host JavaScript code in the malicious link in order to trigger an XSS attack. The 'nodeIntegration' configuration is set to on, which allows the webpage to use NodeJs features. An attacker can leverage this to run OS commands.

Recommendations For Proton version 0.2.0, consider disabling the 'nodeIntegration' configuration to prevent the webpage from using NodeJs features until a patch is available. Restrict access to markdown files that may contain malicious links to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.