CVE-2022-40276

Name of the Vulnerable Software and Affected Versions Zettlr version 2.3.0

Description The issue allows an external attacker to remotely obtain arbitrary local files on any client that attempts to view a malicious markdown file through Zettlr. This is possible because the application does not have a Content Security Policy (CSP) or at least not a strict enough one, and/or does not properly validate the contents of markdown files before rendering them.

Recommendations For Zettlr version 2.3.0, consider implementing a strict Content Security Policy (CSP) and properly validating the contents of markdown files before rendering them to prevent exploitation. As a temporary workaround, restrict the rendering of markdown files from untrusted sources until a patch is available.