Skip to main content

Obsidian

9 CVEs product

Monthly

CVE-2023-2110 HIGH POC This Week

Improper path handling in Obsidian desktop before 1.2.8 on Windows, Linux and macOS allows a crafted webpage to access local files and exfiltrate them to remote web servers via. Rated high severity (CVSS 7.1), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Path Traversal Apple Microsoft Obsidian
NVD
CVSS 3.1
7.1
EPSS
0.3%
CVE-2023-33244 HIGH This Week

Obsidian before 1.2.2 allows calls to unintended APIs (for microphone access, camera access, and desktop notification) via an embedded web page. Rated high severity (CVSS 8.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Obsidian
NVD
CVSS 3.1
8.2
EPSS
0.5%
CVE-2023-27035 HIGH POC This Week

An issue discovered in Obsidian Canvas 1.1.9 allows remote attackers to send desktop notifications, record user audio and other unspecified impacts via embedded website on the canvas page. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Privilege Escalation Obsidian
NVD GitHub
CVSS 3.1
7.5
EPSS
1.8%
CVE-2023-24044 MEDIUM POC This Month

A Host Header Injection issue on the Login page of Plesk Obsidian through 18.0.49 allows attackers to redirect users to malicious websites via a Host request header. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Open Redirect Obsidian
NVD GitHub
CVSS 3.1
6.1
EPSS
2.2%
CVE-2022-45130 MEDIUM POC This Month

Plesk Obsidian allows a CSRF attack, e.g., via the /api/v2/cli/commands REST API to change an Admin password. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

CSRF Obsidian
NVD
CVSS 3.1
6.5
EPSS
0.3%
CVE-2022-36450 CRITICAL POC THREAT Act Now

Obsidian 0.14.x and 0.15.x before 0.15.5 allows obsidian://hook-get-address remote code execution because window.open is used without checking the URL. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE Obsidian
NVD
CVSS 3.1
9.8
EPSS
19.6%
CVE-2021-35976 MEDIUM POC This Month

The feature to preview a website in Plesk Obsidian 18.0.0 through 18.0.32 on Linux is vulnerable to reflected XSS via the /plesk-site-preview/ PATH, aka PFSI-62467. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS Obsidian
NVD
CVSS 3.1
6.1
EPSS
1.1%
CVE-2021-38148 npm CRITICAL PATCH Act Now

Obsidian before 0.12.12 does not require user confirmation for non-http/https URLs. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Obsidian
NVD
CVSS 3.1
9.8
EPSS
1.2%
CVE-2020-11583 MEDIUM This Month

A GET-based XSS reflected vulnerability in Plesk Obsidian 18.0.17 allows remote unauthenticated users to inject arbitrary JavaScript, HTML, or CSS via a GET parameter. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Obsidian
NVD
CVSS 3.1
6.1
EPSS
1.0%
EPSS 0% CVSS 7.1
HIGH POC This Week

Improper path handling in Obsidian desktop before 1.2.8 on Windows, Linux and macOS allows a crafted webpage to access local files and exfiltrate them to remote web servers via. Rated high severity (CVSS 7.1), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Path Traversal Apple Microsoft +1
NVD
EPSS 0% CVSS 8.2
HIGH This Week

Obsidian before 1.2.2 allows calls to unintended APIs (for microphone access, camera access, and desktop notification) via an embedded web page. Rated high severity (CVSS 8.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Obsidian
NVD
EPSS 2% CVSS 7.5
HIGH POC This Week

An issue discovered in Obsidian Canvas 1.1.9 allows remote attackers to send desktop notifications, record user audio and other unspecified impacts via embedded website on the canvas page. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Privilege Escalation Obsidian
NVD GitHub
EPSS 2% CVSS 6.1
MEDIUM POC This Month

A Host Header Injection issue on the Login page of Plesk Obsidian through 18.0.49 allows attackers to redirect users to malicious websites via a Host request header. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Open Redirect Obsidian
NVD GitHub
EPSS 0% CVSS 6.5
MEDIUM POC This Month

Plesk Obsidian allows a CSRF attack, e.g., via the /api/v2/cli/commands REST API to change an Admin password. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

CSRF Obsidian
NVD
EPSS 20% CVSS 9.8
CRITICAL POC THREAT Act Now

Obsidian 0.14.x and 0.15.x before 0.15.5 allows obsidian://hook-get-address remote code execution because window.open is used without checking the URL. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE Obsidian
NVD
EPSS 1% CVSS 6.1
MEDIUM POC This Month

The feature to preview a website in Plesk Obsidian 18.0.0 through 18.0.32 on Linux is vulnerable to reflected XSS via the /plesk-site-preview/ PATH, aka PFSI-62467. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS Obsidian
NVD
EPSS 1% CVSS 9.8
CRITICAL PATCH Act Now

Obsidian before 0.12.12 does not require user confirmation for non-http/https URLs. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Obsidian
NVD
EPSS 1% CVSS 6.1
MEDIUM This Month

A GET-based XSS reflected vulnerability in Plesk Obsidian 18.0.17 allows remote unauthenticated users to inject arbitrary JavaScript, HTML, or CSS via a GET parameter. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Obsidian
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy