Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
N/A
Vulnerability Description
CodiMD through 2.5.4 has a CSP-based protection mechanism against XSS through uploaded SVG documents containing JavaScript, but it can be bypassed in certain cases of different-origin file storage, such as AWS S3. NOTE: it can be considered a user error if AWS is employed for hosting untrusted JavaScript content, but the selected architecture within AWS does not have components that are able to insert Content-Security-Policy headers.
CVSS Information
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:N
Vulnerability Type
对候选路径的不恰当保护
Vulnerability Title
CodiMD 安全漏洞
Vulnerability Description
CodiMD是HackMD开源的一个实时协作笔记应用程序。 CodiMD 2.5.4及之前版本存在安全漏洞,该漏洞源于基于CSP的XSS保护机制在跨域文件存储场景下可被绕过,可能导致跨站脚本攻击。
CVSS Information
N/A
Vulnerability Type
N/A