VNote Code Execution Vulnerability
CVE-2024-39904
8.8HIGH
What is CVE-2024-39904?
VNote, a note-taking platform, contains a vulnerability that allows an attacker to execute arbitrary programs on a victim's system due to improper handling of URIs prior to version 3.18.1. By embedding a malicious URI within a note, such as file:///C:/WINDOWS/system32/cmd.exe, attackers can exploit this issue to run local executable files on the affected system. This vulnerability can be exploited through crafted notes, thus enabling further malicious actions once the note is shared and opened. Users are advised to upgrade to version 3.18.1 or later to mitigate this risk.
Affected Version(s)
vnote < 3.18.1
