Disclosure Date 2021/05/26

CVE-2021-20727

Cross-site Scripting in Zettlr

ZettlrにおけるXSS(クロスサイトスクリプティング)

Credit

Eiji Mori (@ei01241)

Affected-Versions

  • v1.8.8 and earlier

CWE

CWE-79

Description

Cross-site scripting vulnerability in Zettlr from 0.20.0 to 1.8.8 allows an attacker to execute an arbitrary script by loading a file or code snippet containing an invalid iframe into Zettlr.

Product-URLs

https://www.zettlr.com/

Reference

  • https://jvn.jp/en/jp/JVN98239374/index.html
  • https://github.com/Zettlr/Zettlr
  • https://www.zettlr.com/post/postmortem-zettlr-first-security-incident

Back