CVE-2022-36450

Name of the Vulnerable Software and Affected Versions Obsidian versions 0.14.x through 0.15.4

Description The issue allows remote code execution due to the use of window.open without checking the URL, specifically with the obsidian://hook-get-address protocol. This can lead to unauthorized code execution.

Recommendations For Obsidian versions 0.14.x through 0.15.4, update to version 0.15.5 or later to resolve the issue. As a temporary workaround, consider disabling the use of window.open for unverified URLs until a patch is applied. Restrict access to the obsidian://hook-get-address protocol to minimize the risk of exploitation.