CVE-2023-27035
MEDIUMObsidian Canvas 1.1.9 - Unauthenticated Sensitive Web API Access via Embedded Website
Title source: llmExploitation Summary
EIP tracks 1 public exploit for CVE-2023-27035. PoCs published by fivex3.
AI-analyzed exploit summary This repository provides a functional proof-of-concept for CVE-2023-27035, demonstrating how embedded web pages in Obsidian Canvas can exploit missing permission request handlers to access sensitive Web APIs like microphone recording and desktop notifications without user consent.
Description
An issue discovered in Obsidian Canvas 1.1.9 allows remote attackers to send desktop notifications, record user audio and other unspecified impacts via embedded website on the canvas page.
Exploits (1)
This repository provides a functional proof-of-concept for CVE-2023-27035, demonstrating how embedded web pages in Obsidian Canvas can exploit missing permission request handlers to access sensitive Web APIs like microphone recording and desktop notifications without user consent.
References (3)
Scores
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N