Skip to content

We found a stored xss vulnerability in vnote #564

Closed
@heroanswer

Description

@heroanswer

Hello friend,we are farmsec security team,we found a stored xss vulnerability in vnote:
OS Version : Linux
VNote Version :VNote-2.2
Symptoms :
1.The app does not filter specific html tags,as:
<img>
<iframe>
<video>
2.An attacker can execute a javascript script by using a malicious html tag.
1
How to Repro :
1.Install vnote for linux
https://github.com/tamlok/vnote
3
2.Click New Note
Fill in the notebook name
2
Click OK.
3.New folder
4
Click OK.
4.New text note
5
5.Fill in the xss vulnerability test payload
payload:<iframe src="javascript:alert('xss')">
6.Access note
Enter Ctrl+T
7
The code is executed in the browser

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions