CVE-2023-27035

Published: May 1, 2023Modified: Jan 30, 2025

7.5

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Exploitability: 3.9 / Impact: 3.6

Source: NVD

Description

An issue discovered in Obsidian Canvas 1.1.9 allows remote attackers to send desktop notifications, record user audio and other unspecified impacts via embedded website on the canvas page.

Affected (1)

Products: Obsidian: Obsidian

Obsidian

1 product

Obsidian

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Obsidian Obsidian	Version 1.1.9

Related CWEs

CWE-276

Incorrect Default Permissions

During installation, installed file permissions are set to allow anyone to modify those files.

References (6)

https://forum.obsidian.md/t/embedded-web-pages-in-obsidian-canvas-can-use-sensitive-web-apis-without-the-users-permission-grant/54509

Source: cve@mitre.org

Exploit

https://forum.obsidian.md/t/obsidian-release-v1-1-14-insider-build/54595

Source: cve@mitre.org

Release Notes

https://github.com/fivex3/CVE-2023-27035

Source: cve@mitre.org

ExploitThird Party Advisory

https://forum.obsidian.md/t/embedded-web-pages-in-obsidian-canvas-can-use-sensitive-web-apis-without-the-users-permission-grant/54509

Source: af854a3a-2127-422b-91ae-364da2661108

Exploit

https://forum.obsidian.md/t/obsidian-release-v1-1-14-insider-build/54595

Source: af854a3a-2127-422b-91ae-364da2661108

Release Notes

https://github.com/fivex3/CVE-2023-27035

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitThird Party Advisory

Timeline

No history available yet.