CVSS: 8.6EPSS: 0%CPEs: 1EXPL: 1CVE-2024-41662 – VNote vulnerable to Markdown XSS, which leads to RCE
https://notcve.org/view.php?id=CVE-2024-41662
VNote is a note-taking platform. A Cross-Site Scripting (XSS) vulnerability has been identified in the Markdown rendering functionality of versions 3.18.1 and prior of the VNote note-taking application. This vulnerability allows the injection and execution of arbitrary JavaScript code through which remote code execution can be achieved. A patch for this issue is available at commit f1af78573a0ef51d6ef6a0bc4080cddc8f30a545. Other mitigation strategies include implementing rigorous input sanitization for all Markdown content and utilizing a secure Markdown parser that appropriately escapes or strips potentially dangerous content. • https://github.com/sh3bu/CVE-2024-41662 https://github.com/vnotex/vnote/commit/f1af78573a0ef51d6ef6a0bc4080cddc8f30a545 https://github.com/vnotex/vnote/security/advisories/GHSA-w655-h68w-vxxc • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-39904 – Code Execution Vulnerability via Local File Path Traversal in Vnote
https://notcve.org/view.php?id=CVE-2024-39904
VNote is a note-taking platform. Prior to 3.18.1, a code execution vulnerability existed in VNote, which allowed an attacker to execute arbitrary programs on the victim's system. A crafted URI can be used in a note to perform this attack using file:/// as a link. For example, file:///C:/WINDOWS/system32/cmd.exe. This allows attackers to execute arbitrary programs by embedding a reference to a local executable file such as file:///C:/WINDOWS/system32/cmd.exe and file:///C:/WINDOWS/system32/calc.exe. • https://github.com/vnotex/vnote/commit/3477469b669708ff547037fda9fc2817870428aa https://github.com/vnotex/vnote/security/advisories/GHSA-vhh5-8wcv-68gj • CWE-73: External Control of File Name or Path •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2023-5701 – vnotex vnote Markdown File cross site scripting
https://notcve.org/view.php?id=CVE-2023-5701
A vulnerability has been found in vnotex vnote up to 3.17.0 and classified as problematic. Affected by this vulnerability is an unknown functionality of the component Markdown File Handler. The manipulation with the input <xss onclick="alert(1)" style=display:block>Click here</xss> leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. • https://github.com/victorootnice/victorootnice.github.io/blob/main/2023/bbp-01.md https://vuldb.com/?ctiid.243139 https://vuldb.com/?id.243139 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2019-8419
https://notcve.org/view.php?id=CVE-2019-8419
VNote 2.2 has XSS via a new text note. VNote 2.2 tiene Cross-Site Scripting (XSS) mediante una nueva nota de texto. • https://github.com/tamlok/vnote/issues/564 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •