Nixpkgs security tracker

Dismissed

Permalink CVE-2023-0835

8.2 HIGH

CVSS version (CVSS): 3.1
Attack Vector (AV): Network (N)
Attack Complexity (AC): Low (L)
Privileges Required (PR): None (N)
User Interaction (UI): Required (R)
Scope (S): Changed (C)
Confidentiality (C): High (H)
Integrity (I): Low (L)
Availability (A): None (N)
Modified Attack Vector (MAV): Network (N)
Modified Attack Complexity (MAC): Low (L)
Modified Privileges Required (MPR): None (N)
Modified User Interaction (MUI): Required (R)
Modified Confidentiality (MC): High (H)
Modified Scope (MS): Changed (C)
Modified Integrity (MI): Low (L)
Modified Availability (MA): None (N)

updated 4 months, 1 week ago by @LeSuisse Activity log

Created suggestion 4 months, 2 weeks ago
@LeSuisse ignored package vscode-extensions.yzane.markdown-pdf 4 months, 1 week ago
@LeSuisse dismissed 4 months, 1 week ago

markdown-pdf version 11.0.0 allows an external attacker to remotely obtain …

markdown-pdf version 11.0.0 allows an external attacker to remotely obtain arbitrary local files. This is possible because the application does not validate the Markdown content entered by the user.

References

https://fluidattacks.com/advisories/relsb/ x_transferred
https://www.npmjs.com/package/markdown-pdf/ x_transferred

Affected products

markdown-pdf

==11.0.0

Ignored packages (1)

pkgs.vscode-extensions.yzane.markdown-pdf

Converts Markdown files to pdf, html, png or jpeg files

nixos-unstable 1.5.0
- nixpkgs-unstable 1.5.0
- nixos-unstable-small 1.5.0

Impacted software not present in nixpkgs

Suggestion detail

References

Affected products

pkgs.vscode-extensions.yzane.markdown-pdf