Muffon Remote Code Execution Vulnerability
Vulnerability
A remote code execution vulnerability has been identified in Muffon versions prior to 2.3.0. This issue arises from improper handling of custom URL links, which can be exploited by embedding a specially crafted 'muffon://' link on a controlled website. When a victim clicks the link, Muffon launches and processes the URL, leading to code execution on the victim's machine without any further interaction. The vulnerability is rooted in multiple cross-site scripting (XSS) issues that allow the execution of arbitrary code via Electron's privileged APIs.
Impact
Exploitation of this vulnerability allows for one-click remote code execution on the victim's machine.
Reproduction
To reproduce this vulnerability, embed a 'muffon://' link that includes an XSS payload, such as an image tag with an 'onerror' event, into a website. When a user clicks the link, Muffon will open and execute the embedded payload, such as launching an application like Calculator from the '/tmp' directory.
Remediation
Users can update to Muffon version 2.3.0, which addresses this vulnerability.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.