) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.
Search Results (Refine Search)
- Results Type: Overview
- Keyword (text search): Obsidian
- Search Type: Search All
- CPE Name Search: false
| Vuln ID | Summary | CVSS Severity |
|---|---|---|
| CVE-2022-36677 |
Obsidian Mind Map v1.1.0 allows attackers to execute arbitrary code via a crafted payload injected into an uploaded document. Published: February 28, 2024; 8:35:29 PM -0500 |
V3.x:(not available) V2.0:(not available) |
| CVE-2023-2110 |
Improper path handling in Obsidian desktop before 1.2.8 on Windows, Linux and macOS allows a crafted webpage to access local files and exfiltrate them to remote web servers via "app://local/<absolute-path>". This vulnerability can be exploited if a user opens a malicious markdown file in Obsidian, or copies text from a malicious webpage and paste it into Obsidian. Published: August 19, 2023; 2:15:45 AM -0400 |
V3.1: 7.1 HIGH V2.0:(not available) |
| CVE-2023-33244 |
Obsidian before 1.2.2 allows calls to unintended APIs (for microphone access, camera access, and desktop notification) via an embedded web page. Published: May 20, 2023; 3:15:08 PM -0400 |
V3.1: 8.2 HIGH V2.0:(not available) |
| CVE-2023-27035 |
An issue discovered in Obsidian Canvas 1.1.9 allows remote attackers to send desktop notifications, record user audio and other unspecified impacts via embedded website on the canvas page. Published: May 01, 2023; 6:15:09 PM -0400 |
V3.1: 7.5 HIGH V2.0:(not available) |
| CVE-2023-24044 |
A Host Header Injection issue on the Login page of Plesk Obsidian through 18.0.49 allows attackers to redirect users to malicious websites via a Host request header. NOTE: the vendor's position is "the ability to use arbitrary domain names to access the panel is an intended feature." Published: January 21, 2023; 10:15:09 PM -0500 |
V3.1: 6.1 MEDIUM V2.0:(not available) |
| CVE-2022-45130 |
Plesk Obsidian allows a CSRF attack, e.g., via the /api/v2/cli/commands REST API to change an Admin password. NOTE: Obsidian is a specific version of the Plesk product: version numbers were used through version 12, and then the convention was changed so that versions are identified by names ("Obsidian"), not numbers. Published: November 10, 2022; 1:15:13 AM -0500 |
V3.1: 6.5 MEDIUM V2.0:(not available) |
| CVE-2022-36450 |
Obsidian 0.14.x and 0.15.x before 0.15.5 allows obsidian://hook-get-address remote code execution because window.open is used without checking the URL. Published: July 25, 2022; 3:15:07 AM -0400 |
V3.1: 9.8 CRITICAL V2.0:(not available) |
| CVE-2021-42057 |
Obsidian Dataview through 0.4.12-hotfix1 allows eval injection. The evalInContext function in executes user input, which allows an attacker to craft malicious Markdown files that will execute arbitrary code once opened. NOTE: 0.4.13 provides a mitigation for some use cases. Published: November 04, 2021; 5:15:09 PM -0400 |
V3.1: 7.8 HIGH V2.0: 9.3 HIGH |
| CVE-2021-35976 |
The feature to preview a website in Plesk Obsidian 18.0.0 through 18.0.32 on Linux is vulnerable to reflected XSS via the /plesk-site-preview/ PATH, aka PFSI-62467. The attacker could execute JavaScript code in the victim's browser by using the link to preview sites hosted on the server. Authentication is not required to exploit the vulnerability. Published: September 10, 2021; 8:15:13 AM -0400 |
V3.1: 6.1 MEDIUM V2.0: 4.3 MEDIUM |
| CVE-2021-38148 |
Obsidian before 0.12.12 does not require user confirmation for non-http/https URLs. Published: August 06, 2021; 11:15:06 PM -0400 |
V3.1: 9.8 CRITICAL V2.0: 7.5 HIGH |
| CVE-2020-11583 |
A GET-based XSS reflected vulnerability in Plesk Obsidian 18.0.17 allows remote unauthenticated users to inject arbitrary JavaScript, HTML, or CSS via a GET parameter. Published: August 03, 2020; 5:15:10 PM -0400 |
V3.1: 6.1 MEDIUM V2.0: 4.3 MEDIUM |