Typora 1.7.4 Command Injection

2024.02.02
Credit: Ahmet Umit Bayram
Risk: High
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-78

# Exploit Title: Typora v1.7.4 - OS Command Injection # Discovered by: Ahmet Ümit BAYRAM # Discovered Date: 13.09.2023 # Vendor Homepage: http://www.typora.io # Software Link: https://download.typora.io/windows/typora-setup-ia32.exe # Tested Version: v1.7.4 (latest) # Tested on: Windows 2019 Server 64bit # # # Steps to Reproduce # # # # Open the application # Click on Preferences from the File menu # Select PDF from the Export tab # Check the “run command” at the bottom right and enter your reverse shell command into the opened box # Close the page and go back to the File menu # Then select PDF from the Export tab and click Save # Reverse shell is ready!


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top