Summary
A stored cross-site scripting (XSS) vulnerability in Note Mark version v0.13.0 allows attackers to execute arbitrary web scripts via a crafted payload injected into the URL value of a link in the markdown content.
Details
Any link created in the note content can contain any protocol inside, which allows potential attackers to specify payloads using "javascript:" instead of the expected https protocol for the created link.
PoC
A registered user can create a new note (or edit any of their existing notes) and edit it.
After that, a stored XSS payload can be injected inside the notes by clicking on the "Insert Link" functionality and adding a malicious payload inside the URL's value.
An example payload is the following: javascript:alert(1)
After adding the link, any user who clicks on the link inside the note's rendered version will trigger the injected script.
Impact
Any user who accesses the note (which can be public) might click on the malicious link, which will cause them to execute any script injected by leveraging this vulnerability. This can cause users to perform unwanted actions on their behalf inside the Note Mark web application, if the user is logged in it can also access the stored access token for api access.
alessio-romano Analyst
enchant97 Remediation developer
Summary
A stored cross-site scripting (XSS) vulnerability in Note Mark version v0.13.0 allows attackers to execute arbitrary web scripts via a crafted payload injected into the URL value of a link in the markdown content.
Details
Any link created in the note content can contain any protocol inside, which allows potential attackers to specify payloads using "javascript:" instead of the expected https protocol for the created link.
PoC
A registered user can create a new note (or edit any of their existing notes) and edit it.
After that, a stored XSS payload can be injected inside the notes by clicking on the "Insert Link" functionality and adding a malicious payload inside the URL's value.
An example payload is the following:
javascript:alert(1)After adding the link, any user who clicks on the link inside the note's rendered version will trigger the injected script.
Impact
Any user who accesses the note (which can be public) might click on the malicious link, which will cause them to execute any script injected by leveraging this vulnerability. This can cause users to perform unwanted actions on their behalf inside the Note Mark web application, if the user is logged in it can also access the stored access token for api access.