Closed
Description
Description
A XSS vulnerability exists that leads to arbitrary code execution
Version
- v1.0.4
- Tested on: Linux
To reproduce
Steps to reproduce the behavior:
- Create a new project
- Create a new Note with the value:
<img src="asdf" onerror="var os = require('os'); var hostname = os.platform(); var homedir = os.homedir(); alert('Host:' + hostname + 'directory: ' + homedir);">
Expected behavior
This cross site scripting vulnerability allows an attacker to execute arbitrary code on the victims machine by creating a malicious note. In the worst case this will lead to a reverse shell. I am not going to paste the code for the reverse shell here for obvious reasons.
