CVE-2024-41662

VNote is a note-taking platform. A Cross-Site Scripting (XSS) vulnerability has been identified in the Markdown rendering functionality of versions 3.18.1 and prior of the VNote note-taking application. This vulnerability allows the injection and execution of arbitrary JavaScript code through which remote code execution can be achieved. A patch for this issue is available at commit f1af78573a0ef51d6ef6a0bc4080cddc8f30a545. Other mitigation strategies include implementing rigorous input sanitization for all Markdown content and utilizing a secure Markdown parser that appropriately escapes or strips potentially dangerous content.
Configurations

Configuration 1 (hide)

cpe:2.3:a:vnote_project:vnote:*:*:*:*:*:*:*:*

History

21 Nov 2024, 09:32

Type Values Removed Values Added
CVSS v2 : unknown
v3 : 9.6
v2 : unknown
v3 : 8.6
References () https://github.com/vnotex/vnote/commit/f1af78573a0ef51d6ef6a0bc4080cddc8f30a545 - Patch () https://github.com/vnotex/vnote/commit/f1af78573a0ef51d6ef6a0bc4080cddc8f30a545 - Patch
References () https://github.com/vnotex/vnote/security/advisories/GHSA-w655-h68w-vxxc - Exploit, Third Party Advisory () https://github.com/vnotex/vnote/security/advisories/GHSA-w655-h68w-vxxc - Exploit, Third Party Advisory

03 Oct 2024, 01:12

Type Values Removed Values Added
First Time Vnote Project
Vnote Project vnote
References () https://github.com/vnotex/vnote/commit/f1af78573a0ef51d6ef6a0bc4080cddc8f30a545 - () https://github.com/vnotex/vnote/commit/f1af78573a0ef51d6ef6a0bc4080cddc8f30a545 - Patch
References () https://github.com/vnotex/vnote/security/advisories/GHSA-w655-h68w-vxxc - () https://github.com/vnotex/vnote/security/advisories/GHSA-w655-h68w-vxxc - Exploit, Third Party Advisory
CPE cpe:2.3:a:vnote_project:vnote:*:*:*:*:*:*:*:*
Summary
  • (es) VNote es una plataforma para tomar notas. Se identificó una vulnerabilidad de Cross-Site Scripting (XSS) en la funcionalidad de renderizado Markdown de las versiones 3.18.1 y anteriores de la aplicación de toma de notas VNote. Esta vulnerabilidad permite la inyección y ejecución de código JavaScript arbitrario a través del cual se puede lograr la ejecución remota de código. Hay un parche para este problema disponible en la confirmación f1af78573a0ef51d6ef6a0bc4080cddc8f30a545. Otras estrategias de mitigación incluyen implementar una rigurosa sanitización de entradas para todo el contenido de Markdown y utilizar un analizador de Markdown seguro que escape o elimine adecuadamente el contenido potencialmente peligroso.
CVSS v2 : unknown
v3 : 8.6
v2 : unknown
v3 : 9.6

24 Jul 2024, 17:15

Type Values Removed Values Added
New CVE

Information

Published : 2024-07-24 17:15

Updated : 2024-11-21 09:32


NVD link : CVE-2024-41662

Mitre link : CVE-2024-41662

CVE.ORG link : CVE-2024-41662


JSON object : View

Products Affected

vnote_project

  • vnote
CWE
CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')