XSS/RCE vulnerability #145
Comments
|
Thanks @MCOffSec for doing this, it is appreciated. Just checking that you mean specifically the desktop application and not the web application at https://github.com/OWASP/threat-dragon ? For both repos you can email [email protected] using the PGP key at the bottom of the README.md file in either repo Thanks again, Jon |
|
just checking you received the details via the Flowcrypt page? |
|
@mike-goodwin should have received it? Mike can you confirm? |
|
Hello @MCOffSec - can you give an idea (without disclosure) of how severe this vuln is? Is it exploitable within the desktop application, or is it more targeted towards the online web app at https://github.com/OWASP/threat-dragon ? |
|
Sure, it impacts the desktop version of the application and requires the user to load a maliciously crafted file in the app then click a commonly used button within the tool. |
|
OK, thanks @MCOffSec , understood. Do you have a fix for this? We are about to release version 1.3 - something like early August, so it would be good to have a fix in place. Many thanks, Jon |
|
This TD repo was migrated to the OWASP organisation repo at https://github.com/OWASP/threat-dragon-desktop/issues . I can duplicate this issue there, where the fix will be applied, or do you want to raise this issue in that repo? You get github credit if you do :-) |
|
I can raise it there, its not a problem :) |
During testing of this app I've discovered an XSS flaw that can lead to RCE. Is there a secure/[private place I can post details of the issue?
The text was updated successfully, but these errors were encountered: