Improper path handling in Obsidian desktop before 1.2.8 on Windows, Linux and macOS allows a crafted webpage to access local files and exfiltrate them to remote web servers via "app://local/<absolute-path>". This vulnerability can be exploited if a user opens a malicious markdown file in Obsidian, or copies text from a malicious webpage and paste it into Obsidian.
References
Link | Resource |
---|---|
https://obsidian.md/changelog/2023-05-03-desktop-v1.2.8/ | Release Notes |
https://starlabs.sg/advisories/23/23-2110/ | Exploit Mitigation Third Party Advisory |
History
No history.
MITRE Information
Status: PUBLISHED
Assigner: STAR_Labs
Published: 2023-08-19T05:31:48.974Z
Updated: 2023-08-19T05:31:48.974Z
Reserved: 2023-04-17T07:07:37.532Z
Link: CVE-2023-2110
JSON object: View
NVD Information
Status : Analyzed
Published: 2023-08-19T06:15:45.613
Modified: 2023-08-24T14:56:05.247
Link: CVE-2023-2110
JSON object: View
Redhat Information
No data.
CWE