CVE-2020-35717

CRITICAL

zonote < 0.4.0 - Stored Cross-Site Scripting via Crafted Note

Title source: llm

Exploitation Summary

EIP tracks 2 public exploits for CVE-2020-35717. PoCs published by hmartos, Redfox-Security.

AI-analyzed exploit summary This repository demonstrates an XSS vulnerability in zonote (v0.4.0) that leads to Remote Code Execution due to Node.js integration. The exploit involves importing a crafted note file and hovering over malicious links.

Description

zonote through 0.4.0 allows XSS via a crafted note, with resultant Remote Code Execution (because nodeIntegration in webPreferences is true).

Exploits (2)

nomisec WORKING POC 1 stars

by hmartos · poc

https://github.com/hmartos/cve-2020-35717

View Code ZIP pw:eip

This repository demonstrates an XSS vulnerability in zonote (v0.4.0) that leads to Remote Code Execution due to Node.js integration. The exploit involves importing a crafted note file and hovering over malicious links.

Classification

Working Poc 90%

Attack Type

Xss

Complexity

Trivial

Reliability

Reliable

Target: zonote v0.4.0

No auth needed

Prerequisites: Access to zonote application · Ability to import a crafted note file

MITRE ATT&CK

T1189 - Drive-by Compromise T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 18, 2026 Full analysis →

nomisec STUB

by Redfox-Security · poc

https://github.com/Redfox-Security/Hacking-Electron-Apps-CVE-2020-35717-

View Code ZIP pw:eip

The repository contains only a README.md file with a title and no functional exploit code or technical details. It appears to be a placeholder or incomplete repository.

Classification

Stub 90%

Attack Type

Other

Complexity

Trivial

Reliability

Theoretical

Target: Electron Apps

No auth needed

devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (4)

Core 4

Core References

Product, Third Party Advisory x_refsource_misc

https://www.electronjs.org/apps/zonote

Product, Third Party Advisory x_refsource_misc

https://github.com/zonetti/zonote

Exploit, Third Party Advisory x_refsource_misc

https://github.com/hmartos/cve-2020-35717

Exploit, Third Party Advisory x_refsource_misc

https://medium.com/bugbountywriteup/remote-code-execution-through-cross-site-scripting-in-electron-f3b891ad637

Scores

CVSS v3 9.0

EPSS 0.0376

EPSS Percentile 88.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

Details

CWE

CWE-79

Status published

Products (1)

electronjs/zonote < 0.4.0

Published Jan 01, 2021

Tracked Since Feb 18, 2026