-
Notifications
You must be signed in to change notification settings - Fork 1.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
We found a stored xss vulnerability in vnote #564
Comments
Thanks! Will try to fix it later. |
nice~ |
Fixed. Turned off by default due to its personal use and perf issue. vnote/src/data/core/vnotex.json Line 222 in 315d543
Thanks! |
nice!
…------------------ 原始邮件 ------------------
发件人: "vnotex/vnote" <notifications@github.com>;
发送时间: 2020年11月29日(星期天) 中午11:06
收件人: "vnotex/vnote"<vnote@noreply.github.com>;
抄送: "answer"<81445011@qq.com>;"Author"<author@noreply.github.com>;
主题: Re: [vnotex/vnote] We found a stored xss vulnerability in vnote (#564)
Fixed. Turned off by default due to its personal use and perf issue.
https://github.com/vnotex/vnote/blob/315d5433998b122fdba68d2492dbd71290b13f44/src/data/core/vnotex.json#L222
Thanks!
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub, or unsubscribe.
|
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Hello friend,we are farmsec security team,we found a stored xss vulnerability in vnote:
![1](https://user-images.githubusercontent.com/25338295/50722138-4ca68180-1105-11e9-8d8f-b38d4dcc4d8a.png)
![3](https://user-images.githubusercontent.com/25338295/50722217-b5422e00-1106-11e9-80cf-d4d1bee70490.png)
![2](https://user-images.githubusercontent.com/25338295/50722232-e91d5380-1106-11e9-97cf-847532f0f7e1.png)
![4](https://user-images.githubusercontent.com/25338295/50722262-5f21ba80-1107-11e9-852d-e8676803b71a.png)
![5](https://user-images.githubusercontent.com/25338295/50722281-a314bf80-1107-11e9-90cb-1e5762be9ef0.png)
![7](https://user-images.githubusercontent.com/25338295/50722312-04d52980-1108-11e9-8681-8ad24a9ea5f2.png)
OS Version : Linux
VNote Version :VNote-2.2
Symptoms :
1.The app does not filter specific html tags,as:
<img>
<iframe>
<video>
2.An attacker can execute a javascript script by using a malicious html tag.
How to Repro :
1.Install vnote for linux
https://github.com/tamlok/vnote
2.Click New Note
Fill in the notebook name
Click OK.
3.New folder
Click OK.
4.New text note
5.Fill in the xss vulnerability test payload
payload:
<iframe src="javascript:alert('xss')">
6.Access note
Enter Ctrl+T
The code is executed in the browser
The text was updated successfully, but these errors were encountered: