CVE-2022-25224

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2022-25224

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-25224.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2022-25224

Published

2022-05-20T12:15:10.883Z

Modified

2026-03-14T11:38:24.567311Z

Severity

5.4 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N CVSS Calculator

Summary

[none]

Details

Proton v0.2.0 allows an attacker to create a malicious link inside a markdown file. When the victim clicks the link, the application opens the site in the current frame allowing an attacker to host JavaScript code in the malicious link in order to trigger an XSS attack. The 'nodeIntegration' configuration is set to on which allows the 'webpage' to use 'NodeJs' features, an attacker can leverage this to run OS commands.

References

https://fluidattacks.com/advisories/lennon/

Affected packages

Git / github.com/steventhanna/proton

Affected ranges

Type

GIT

Repo

https://github.com/steventhanna/proton

Events

Introduced

Last affected

b99c56a0aa2d3d2032906977cf0d7f70d3df4c12

Database specific

{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "last_affected": "0.2.0"
        }
    ]
}

Affected versions

v0.*

v0.1.0

v0.1.1

v0.2.0

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-25224.json"