VNote Note-Taking App Exposes Users to Cross-Site Scripting Attacks
CVE-2024-41662
Key Information:
Badges
What is CVE-2024-41662?
A Cross-Site Scripting (XSS) vulnerability has been identified within the Markdown rendering feature of the VNote note-taking application. This issue, present in versions 3.18.1 and prior, enables attackers to inject and execute arbitrary JavaScript code, potentially allowing for remote code execution. Users are advised to apply patch f1af78573a0ef51d6ef6a0bc4080cddc8f30a545, which addresses this vulnerability. In addition, implementing rigorous input sanitization for Markdown content and employing a secure Markdown parser can further mitigate associated risks.
Affected Version(s)
vnote <= 3.18.1
News Articles
PoC Released - CVE-2024-41662 Markdown XSS leads to RCE in VNote version <=3.18.1
Markdown XSS leads to RCE in VNote version <=3.18.1 Severity : High (8.6) CVSS score : CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H Summary : A Cross-Site Scripting (XSS) vulnerability was identified in the Markdown rendering functionality of
References
CVSS V3.1
Timeline
- 📰
First article discovered by darkwebinformer.com
- 🟡
Public PoC available
- 👾
Exploit known to exist
Vulnerability published
Vulnerability Reserved
