Vulnerability Details : CVE-2023-27035
Potential exploit
An issue discovered in Obsidian Canvas 1.1.9 allows remote attackers to send desktop notifications, record user audio and other unspecified impacts via embedded website on the canvas page.
Products affected by CVE-2023-27035
- cpe:2.3:a:obsidian:obsidian:1.1.9:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2023-27035
23.06%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 96 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2023-27035
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
|---|---|---|---|---|---|---|
|
7.5
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
3.9
|
3.6
|
134c704f-9b21-4f2e-91b3-4a467353bcc0 | 2025-01-31 |
|
6.5
|
MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N |
2.8
|
3.6
|
MITRE | |
|
7.5
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
3.9
|
3.6
|
NIST |
CWE ids for CVE-2023-27035
-
During installation, installed file permissions are set to allow anyone to modify those files.Assigned by:
- 134c704f-9b21-4f2e-91b3-4a467353bcc0 (Secondary)
- nvd@nist.gov (Primary)
References for CVE-2023-27035
-
https://forum.obsidian.md/t/obsidian-release-v1-1-14-insider-build/54595
Obsidian Release v1.1.14 (Insider build) - Announcements - Obsidian ForumRelease Notes
-
https://forum.obsidian.md/t/embedded-web-pages-in-obsidian-canvas-can-use-sensitive-web-apis-without-the-users-permission-grant/54509
Embedded web pages in Obsidian Canvas can use sensitive web APIs without the user's permission grant - Bug graveyard - Obsidian ForumExploit
-
https://github.com/fivex3/CVE-2023-27035
GitHub - fivex3/CVE-2023-27035Exploit;Third Party Advisory
Jump to