We found a stored xss vulnerability in vnote #564
Comments
|
Thanks! Will try to fix it later. |
|
nice~ |
|
Fixed. Turned off by default due to its personal use and perf issue. vnote/src/data/core/vnotex.json Line 222 in 315d543 Thanks! |
|
nice!
…------------------ 原始邮件 ------------------
发件人: "vnotex/vnote" <notifications@github.com>;
发送时间: 2020年11月29日(星期天) 中午11:06
收件人: "vnotex/vnote"<vnote@noreply.github.com>;
抄送: "answer"<81445011@qq.com>;"Author"<author@noreply.github.com>;
主题: Re: [vnotex/vnote] We found a stored xss vulnerability in vnote (#564)
Fixed. Turned off by default due to its personal use and perf issue.
https://github.com/vnotex/vnote/blob/315d5433998b122fdba68d2492dbd71290b13f44/src/data/core/vnotex.json#L222
Thanks!
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub, or unsubscribe.
|
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Hello friend,we are farmsec security team,we found a stored xss vulnerability in vnote:
OS Version : Linux
VNote Version :VNote-2.2
Symptoms :
1.The app does not filter specific html tags,as:
<img><iframe><video>2.An attacker can execute a javascript script by using a malicious html tag.
How to Repro :
1.Install vnote for linux
https://github.com/tamlok/vnote
2.Click New Note
Fill in the notebook name
Click OK.
3.New folder
Click OK.
4.New text note
5.Fill in the xss vulnerability test payload
payload:
<iframe src="javascript:alert('xss')">6.Access note
Enter Ctrl+T
The code is executed in the browser
The text was updated successfully, but these errors were encountered: