Gandalf_The_Grey
Level 84
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
- Apr 24, 2016
- 7,421
Several vulnerabilities (CVE-2023-40031, CVE-2023-40036, CVE-2023-40164, CVE-2023-40166) are believed to exist in the popular Notepad ++ editor and have been reported to the developer by a security researcher. The vulnerability ratings range from medium to high. Although this report was made several months ago, there is no security update for Notepad ++ yet, although several product updates have been made in the meantime. When an update will be available is currently open.
Although the developer released product updates, the vulnerabilities were not closed. In addition, the developer stated that Notepad v8.5.4 could not be compiled with AddressSanitizer (ASAN) as a security option. In July 2023, it was confirmed that v8.5.4 could be compiled with ASAN. However, the developer has released further Notepad++ updates without fixing the reported vulnerabilities.
After the problems were pointed out to the developer several times, he was sent a proof of concept in binary format (instead of as a Python script). There has been no reaction so far, although further updates of notepad ++ have been made. The security researcher then published his findings on August 21, 2023. When an update to fix the vulnerabilities will come is still unclear. However, there is this 2-day-old comment from the developer that he has accepted the request to fix the vulnerability – the publication of the vulnerabilities seems to have worked.
Vulnerabilities in Notepad ++ (Sept. 2023)
[German]Several vulnerabilities (CVE-2023-40031, CVE-2023-40036, CVE-2023-40164, CVE-2023-40166) are believed to exist in the popular Notepad ++ editor and have been reported to the developer by a security researcher. The vulnerability ratings range from medium to high. Although this report was made
borncity.com