CVE-2022-36450 Obsidian before 0.15.5 allows remote code execution via the window.open hook.

CVE-2022-36450 Obsidian before 0.15.5 allows remote code execution via the window.open hook.

Remote attackers can exploit this to execute code on unpriviliged sites by enticing an unsuspecting user to visit the attacker's site. This issue was addressed by disabling window.open . We recommend updating to the latest version of obsidian. obsidian-0.15.6 - Update address sanitizer to fix remote code execution in 0.15.x through 0.16.x when sending messages to an unpatched client. obsidian-0.15.5 - Fixed a remote code execution issue with the window.open() method. obsidian-0.15.4 - Fixed an XSS issue in the context menu. obsidian-0.15.3 - Fixed a remote code execution issue with the window.open() method. obsidian-0.15.2 - Fixed an XSS issue in the context menu. obsidian-0.15.1 - Fixed a remote code execution issue with the window.open() method. obsidian-0.15 - Fixed a remote code execution issue with the window.open() method. obsidian-0.14.19 - Fixed an XSS issue in the context menu. obsidian-0.14.18 - Fixed an XSS issue in the context menu. obsidian-0.14.17 - Fixed an XSS issue in the context menu. obsidian-0.14.16 - Fixed an XSS issue in the context menu. obsidian-0.14.

Security Improvements

The obsidian-0.14 release was focused on security improvements, including:
* Updated the address sanitizer;
* Fixed an XSS issue in the context menu;
* Fixed an XSS issue in the message dialog.

Security improvements are important because they ensure that your site is safe and secure, which can help to increase your chances of success.

Integer Overflow

The integer overflow that was fixed in 0.15.2 allowed users to cause a denial of service against their own sites.

References

Subscribe to CVE.news
Don’t miss out on the latest issues. Sign up now to get access to the library of members-only issues.
jamie@example.com
Subscribe