Disclosure Date 2021/05/26
CVE-2021-20727
Cross-site Scripting in Zettlr
ZettlrにおけるXSS(クロスサイトスクリプティング)
Credit
Eiji Mori (@ei01241)
Affected-Versions
- v1.8.8 and earlier
CWE
CWE-79
Description
Cross-site scripting vulnerability in Zettlr from 0.20.0 to 1.8.8 allows an attacker to execute an arbitrary script by loading a file or code snippet containing an invalid iframe into Zettlr.
Product-URLs
https://www.zettlr.com/
Reference
- https://jvn.jp/en/jp/JVN98239374/index.html
- https://github.com/Zettlr/Zettlr
- https://www.zettlr.com/post/postmortem-zettlr-first-security-incident