CVE-2024-41662
VNote vulnerable to Markdown XSS, which leads to RCE
Severity Score
8.6
*CVSS v3.1
Exploit Likelihood
*EPSS
Affected Versions
*CPE
Public Exploits
1
*Multiple Sources
Exploited in Wild
-
*KEV
Decision
Attend
*SSVC
Descriptions
VNote is a note-taking platform. A Cross-Site Scripting (XSS) vulnerability has been identified in the Markdown rendering functionality of versions 3.18.1 and prior of the VNote note-taking application. This vulnerability allows the injection and execution of arbitrary JavaScript code through which remote code execution can be achieved. A patch for this issue is available at commit f1af78573a0ef51d6ef6a0bc4080cddc8f30a545. Other mitigation strategies include implementing rigorous input sanitization for all Markdown content and utilizing a secure Markdown parser that appropriately escapes or strips potentially dangerous content.
*Credits:
N/A
CVSS Scores
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
* Common Vulnerability Scoring System
SSVC
- Decision:Attend
Exploitation
Automatable
Tech. Impact
* Organization's Worst-case Scenario
Timeline
- 2024-07-18 CVE Reserved
- 2024-07-24 CVE Published
- 2024-07-24 First Exploit
- 2024-07-25 EPSS Updated
- 2024-08-02 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CAPEC
References (3)
| URL | Tag | Source |
|---|---|---|
| https://github.com/vnotex/vnote/commit/f1af78573a0ef51d6ef6a0bc4080cddc8f30a545 | X_refsource_misc | |
| https://github.com/vnotex/vnote/security/advisories/GHSA-w655-h68w-vxxc | X_refsource_confirm |
| URL | Date | SRC |
|---|---|---|
| https://github.com/sh3bu/CVE-2024-41662 | 2024-07-24 |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|