VNote Note-Taking App Exposes Users to Cross-Site Scripting Attacks
CVE-2024-41662

9.6CRITICAL

Key Information:

Vendor

Vnotex

Status
Vendor
CVE Published:
24 July 2024

Badges

👾 Exploit Exists📰 News Worthy

What is CVE-2024-41662?

A Cross-Site Scripting (XSS) vulnerability has been identified within the Markdown rendering feature of the VNote note-taking application. This issue, present in versions 3.18.1 and prior, enables attackers to inject and execute arbitrary JavaScript code, potentially allowing for remote code execution. Users are advised to apply patch f1af78573a0ef51d6ef6a0bc4080cddc8f30a545, which addresses this vulnerability. In addition, implementing rigorous input sanitization for Markdown content and employing a secure Markdown parser can further mitigate associated risks.

Affected Version(s)

vnote <= 3.18.1

News Articles

PoC Released - CVE-2024-41662 Markdown XSS leads to RCE in VNote version <=3.18.1

Markdown XSS leads to RCE in VNote version <=3.18.1 Severity : High (8.6) CVSS score : CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H Summary : A Cross-Site Scripting (XSS) vulnerability was identified in the Markdown rendering functionality of

References

CVSS V3.1

Score:
9.6
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Changed

Timeline

  • 📰

    First article discovered by darkwebinformer.com

  • 🟡

    Public PoC available

  • 👾

    Exploit known to exist

  • Vulnerability published

  • Vulnerability Reserved

.