VNote Code Execution Vulnerability
CVE-2024-39904

8.8HIGH

Key Information:

Vendor

Vnotex

Status
Vendor
CVE Published:
11 July 2024

What is CVE-2024-39904?

VNote, a note-taking platform, contains a vulnerability that allows an attacker to execute arbitrary programs on a victim's system due to improper handling of URIs prior to version 3.18.1. By embedding a malicious URI within a note, such as file:///C:/WINDOWS/system32/cmd.exe, attackers can exploit this issue to run local executable files on the affected system. This vulnerability can be exploited through crafted notes, thus enabling further malicious actions once the note is shared and opened. Users are advised to upgrade to version 3.18.1 or later to mitigate this risk.

Affected Version(s)

vnote < 3.18.1

References

CVSS V3.1

Score:
8.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.