Proton
CVE-2022-25224
MEDIUM
Severity by source
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Lifecycle Timeline
1DescriptionNVD
Proton v0.2.0 allows an attacker to create a malicious link inside a markdown file. When the victim clicks the link, the application opens the site in the current frame allowing an attacker to host JavaScript code in the malicious link in order to trigger an XSS attack. The 'nodeIntegration' configuration is set to on which allows the 'webpage' to use 'NodeJs' features, an attacker can leverage this to run OS commands.
AnalysisAI
Proton v0.2.0 allows an attacker to create a malicious link inside a markdown file. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
Technical ContextAI
This vulnerability is classified as Cross-Site Scripting (XSS) (CWE-79), which allows attackers to inject malicious scripts into web pages viewed by other users. Proton v0.2.0 allows an attacker to create a malicious link inside a markdown file. When the victim clicks the link, the application opens the site in the current frame allowing an attacker to host JavaScript code in the malicious link in order to trigger an XSS attack. The 'nodeIntegration' configuration is set to on which allows the 'webpage' to use 'NodeJs' features, an attacker can leverage this to run OS commands. Affected products include: Proton Project Proton.
RemediationAI
No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Sanitize all user input, use Content-Security-Policy headers, encode output contextually (HTML, JS, URL). Use frameworks with built-in XSS protection.
Optergy Proton/Enterprise devices allow Remote Root Code Execution via a Backdoor Console. Rated critical severity (CVSS
Optergy Proton/Enterprise devices allow Authenticated File Upload with Code Execution as root. Rated critical severity (
Optergy Proton/Enterprise devices allow Open Redirect. Rated medium severity (CVSS 6.1), this vulnerability is remotely
Out-of-bounds write vulnerability in Proton versions before 1.6.16 allows remote attackers to execute arbitrary code wit
Optergy Proton/Enterprise devices allow Username Disclosure. Rated medium severity (CVSS 5.3), this vulnerability is rem
Optergy Proton/Enterprise devices allow Cross-Site Request Forgery (CSRF). Rated high severity (CVSS 8.8), this vulnerab
Optergy Proton/Enterprise devices have Hard-coded Credentials. Rated high severity (CVSS 7.3), this vulnerability is rem
Optergy Proton/Enterprise devices have an Unauthenticated SMS Sending Service. Rated medium severity (CVSS 6.5), this vu
Optergy Proton/Enterprise devices allow Unauthenticated Internal Network Information Disclosure. Rated medium severity (
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today