Multiple vulnerabilities discovered in Notepad++ versions prior to 8.9.7 could allow attackers to execute PowerShell commands on target systems, including a Zip Slip vulnerability and a buffer overflow issue that security researchers say pose significant risk to the developer community.
The most severe of the flaws is a PowerShell command injection vulnerability that triggers when Notepad++ processes specially crafted files. An attacker can embed malicious PowerShell commands within a text file that, when opened, executes arbitrary code through the editors macro and plugin systems. A Zip Slip vulnerability in the programs update extraction mechanism could allow attackers to write files outside the intended extraction directory by using directory traversal sequences in archive filenames.
A buffer overflow flaw in the editing engine rounds out the trio of critical issues. Patched in Notepad++ version 8.9.7, users are strongly advised to update immediately. The vulnerabilities affect all prior versions and could be exploited through phishing campaigns targeting developers and technical professionals who rely on the popular open-source editor.
HTMLEOF
