CVE-2019-12137
published 2019-05-16CVE-2019-12137: Typora 0.9.9.24.6 on macOS allows directory traversal, for execution of arbitrary programs, via a file:/// or ../ substring in a shared note.
PriorityP348high7.8CVSS 3.0
AVLACLPRNUIRSUCHIHAH
EXPLOIT
EPSS
6.45%
92.9th percentile
Typora 0.9.9.24.6 on macOS allows directory traversal, for execution of arbitrary programs, via a file:/// or ../ substring in a shared note.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| typora | typora | — | — |
| typora | typora | — | — |
CVSS provenance
nvdv3.07.8HIGHCVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-j8m6-hgfm-cp2q: Typora 0
ghsa_unreviewed·2022-05-24·CVSS 7.8
CVE-2019-12172 [HIGH] CWE-22 GHSA-j8m6-hgfm-cp2q: Typora 0
Typora 0.9.9.21.1 (1913) allows arbitrary code execution via a modified file: URL syntax in the HREF attribute of an AREA element, as demonstrated by file:\\\ on macOS or Linux, or file://C| on Windows. This is different from CVE-2019-12137.
GHSA
GHSA-5qpr-j9ww-x44p: Typora 0
ghsa_unreviewed·2022-05-24
CVE-2019-12137 [HIGH] CWE-22 GHSA-5qpr-j9ww-x44p: Typora 0
Typora 0.9.9.24.6 on macOS allows directory traversal, for execution of arbitrary programs, via a file:/// or ../ substring in a shared note.
No detection rules found.
No writeups or analysis indexed.
http://packetstormsecurity.com/files/153082/Typora-0.9.9.24.6-Directory-Traversal.htmlhttps://github.com/typora/typora-issues/issues/2505https://twitter.com/RandomDhiraj/status/1136960564540915712http://packetstormsecurity.com/files/153082/Typora-0.9.9.24.6-Directory-Traversal.htmlhttps://github.com/typora/typora-issues/issues/2505https://twitter.com/RandomDhiraj/status/1136960564540915712
2019-05-16
Published