Obsidian: >> Obsidian >> 0.10.1 Security Vulnerabilities
Improper path handling in Obsidian desktop before 1.2.8 on Windows, Linux and macOS allows a crafted webpage to access local files and exfiltrate them to remote web servers via "app://local/<absolute-path>". This vulnerability can be exploited if a user opens a malicious markdown file in Obsidian, or copies text from a malicious webpage and paste it into Obsidian.
CVSS Score
8.2
EPSS Score
0.001
Published
2023-08-19
Obsidian before 1.2.2 allows calls to unintended APIs (for microphone access, camera access, and desktop notification) via an embedded web page.
CVSS Score
8.2
EPSS Score
0.001
Published
2023-05-20
Obsidian before 0.12.12 does not require user confirmation for non-http/https URLs.
CVSS Score
9.8
EPSS Score
0.005
Published
2021-08-07