Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Vikunja Desktop allows arbitrary local application invocation via unvalidated shell.openExternal
Vulnerability Description
Vikunja is an open-source self-hosted task management platform. Starting in version 0.21.0 and prior to version 2.2.0, the Vikunja Desktop Electron wrapper passes URLs from `window.open()` calls directly to `shell.openExternal()` without any validation or protocol allowlisting. An attacker who can place a link with `target="_blank"` (or that otherwise triggers `window.open`) in user-generated content can cause the victim's operating system to open arbitrary URI schemes, invoking local applications, opening local files, or triggering custom protocol handlers. Version 2.2.0 patches the issue.
CVSS Information
N/A
Vulnerability Type
自定义URL方案处理程序中的授权不正确
Vulnerability Title
Vikunja 安全漏洞
Vulnerability Description
Vikunja是Vikunja开源的一个待办事项应用程序。 Vikunja 0.21.0版本至2.2.0之前版本存在安全漏洞,该漏洞源于Vikunja Desktop Electron包装器将window.open()调用的URL直接传递给shell.openExternal()而未经任何验证或协议白名单过滤,可能导致攻击者通过用户生成内容中的链接触发受害者操作系统打开任意URI方案。
CVSS Information
N/A
Vulnerability Type
N/A