CVE-2023-2317
Published: 19 August 2023
Summary
CVE-2023-2317 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Typora Typora. Its CVSS base score is 8.6 (High).
Operationally, ranked in the top 2.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
CVE-2023-2317 is a DOM-based cross-site scripting vulnerability in the updater/update.html component of Typora versions prior to 1.6.7 on Windows and Linux. The flaw permits a crafted Markdown file to execute arbitrary JavaScript within the context of the Typora main window by loading the typora://app/typemark/updater/update.html resource through an <embed> tag.
An attacker can exploit the issue when a user either opens a malicious Markdown file directly in Typora or copies and pastes content originating from a malicious webpage. Successful exploitation grants the attacker the ability to run code with high impact on confidentiality, integrity, and availability, consistent with the reported CVSS 8.6 score.
Public references indicate that Typora resolved the vulnerability in release 1.6.7, as documented in the vendor's "What's New" notes, while the Star Labs advisory provides technical details on the root cause and reproduction steps. The associated EPSS score has remained flat at 0.4928 with no material increase observed after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-33821
Vulnerability details
DOM-based XSS in updater/update.html in Typora before 1.6.7 on Windows and Linux allows a crafted markdown file to run arbitrary JavaScript code in the context of Typora main window via loading typora://app/typemark/updater/update.html in <embed> tag. This vulnerability can be exploited…
more
if a user opens a malicious markdown file in Typora, or copies text from a malicious webpage and paste it into Typora.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Penetration testing submits XSS payloads to web applications, detecting cross-site scripting flaws for subsequent remediation.
Validates web inputs to reject script-related content that could produce XSS.
Output validation against expected content can reject or sanitize script content in generated web pages, reducing XSS exploitability.