CVE-2019-20374

Published: Jan 9, 2020Modified: Jun 17, 2026

9.6

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Exploitability: 2.8 / Impact: 6.0

Source: NVD

Description

A mutation cross-site scripting (XSS) issue in Typora through 0.9.9.31.2 on macOS and through 0.9.81 on Linux leads to Remote Code Execution through Mermaid code blocks. To exploit this vulnerability, one must open a file in Typora. The XSS vulnerability is then triggered due to improper HTML sanitization. Given that the application is based on the Electron framework, the XSS leads to remote code execution in an unsandboxed environment.

Affected (2)

Products: Typora: Typora

1 product

Configuration A

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Typora Typora	Up to 0.9.81

Running on/with	Platform Versions
Linux Linux Kernel	All versions

Configuration B

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Typora Typora	Up to 0.9.9.31.2

Running on/with	Platform Versions
Apple Macos	All versions

Related CWEs

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

References (4)

https://github.com/cure53/DOMPurify/commit/4e8af7b2c4a159b683d317e02c5cbddb86dc4a0e

Source: cve@mitre.org

PatchThird Party Advisory

https://github.com/typora/typora-issues/issues/3124

Source: cve@mitre.org

Third Party Advisory

https://github.com/cure53/DOMPurify/commit/4e8af7b2c4a159b683d317e02c5cbddb86dc4a0e

Source: af854a3a-2127-422b-91ae-364da2661108

PatchThird Party Advisory

https://github.com/typora/typora-issues/issues/3124

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

Timeline

No history available yet.