CVE-2023-27035: 
NixOS vulnerability analysis and mitigation

An issue discovered in Obsidian Canvas 1.1.9 allows remote attackers to send desktop notifications, record user audio and other unspecified impacts via embedded website on the canvas page. The vulnerability was discovered in February 2023 and affects Obsidian versions prior to 1.1.14 (Obsidian Forum, CVE Details).

The vulnerability stems from the absence of a Session Permission Request handler in the Obsidian application. This allows malicious embedded websites to access sensitive Web APIs without requiring user permission or knowledge. The vulnerability has a CVSS v3.1 Base Score of 7.5 HIGH with a vector string of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N (CVE Details).

The vulnerability enables attackers to silently record the user's microphone, access the clipboard, and send desktop notifications without the user's knowledge or explicit permission grant. Unlike regular browsers that display permission request pop-ups, embedded websites in Obsidian Canvas can access these sensitive APIs without any notification to the user (GitHub POC).

The vulnerability was fixed in Obsidian version 1.1.14 by implementing an Electron Session Permission Request handler to manage permission requests from embedded pages. Users should upgrade to version 1.1.14 or later. The fix ensures that access to Web APIs must be explicitly granted by the user or denied by default (Obsidian Forum).

The Obsidian development team responded quickly to the vulnerability report, implementing the suggested mitigation in code and releasing a fix in version 1.1.14. The team acknowledged the quality of the vulnerability report but noted they weren't yet participating in the CVE program due to being a small team (Obsidian Forum).