Open MCOffSec opened 4 years ago
jgadsden
commented
4 years ago Thanks @MCOffSec for doing this, it is appreciated. Just checking that you mean specifically the desktop application and not the web application at https://github.com/OWASP/threat-dragon ?
For both repos you can email mike.goodwin@owasp.org using the PGP key at the bottom of the README.md file in either repo
Thanks again, Jon
MCOffSec
commented
4 years ago just checking you received the details via the Flowcrypt page?
jgadsden
commented
4 years ago @mike-goodwin should have received it? Mike can you confirm?
jgadsden
commented
4 years ago Hello @MCOffSec - can you give an idea (without disclosure) of how severe this vuln is? Is it exploitable within the desktop application, or is it more targeted towards the online web app at https://github.com/OWASP/threat-dragon ?
MCOffSec
commented
4 years ago Sure, it impacts the desktop version of the application and requires the user to load a maliciously crafted file in the app then click a commonly used button within the tool.
jgadsden
commented
4 years ago OK, thanks @MCOffSec , understood. Do you have a fix for this? We are about to release version 1.3 - something like early August, so it would be good to have a fix in place. Many thanks, Jon
jgadsden
commented
4 years ago This TD repo was migrated to the OWASP organisation repo at https://github.com/OWASP/threat-dragon-desktop/issues . I can duplicate this issue there, where the fix will be applied, or do you want to raise this issue in that repo? You get github credit if you do :-)
MCOffSec
commented
4 years ago I can raise it there, its not a problem :)
During testing of this app I've discovered an XSS flaw that can lead to RCE. Is there a secure/[private place I can post details of the issue?