Codigo Markdown Editor Remote Code Execution Vulnerability
Vulnerability
A remote code execution vulnerability exists in Codigo Markdown Editor version 1.0.1. This issue allows attackers to execute arbitrary system commands by creating a malicious markdown file. The vulnerability arises from the application's handling of video sources embedded in the markdown, specifically through an onerror event. When the crafted file is opened, the embedded command is executed via Node.js's child_process module.
Impact
Exploitation of this vulnerability allows for arbitrary code execution on the system where Codigo Markdown Editor is running.
Reproduction
To reproduce this vulnerability, create a markdown file and embed a video source with an onerror event. The onerror event should be crafted to execute a command using Node.js's child_process module. Once the file is saved, open it in Codigo Markdown Editor version 1.0.1. The embedded command will be executed, demonstrating the vulnerability.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.