CVE-2024-41662

HIGH

Vnote < 3.18.1 - XSS

Title source: rule

Description

VNote is a note-taking platform. A Cross-Site Scripting (XSS) vulnerability has been identified in the Markdown rendering functionality of versions 3.18.1 and prior of the VNote note-taking application. This vulnerability allows the injection and execution of arbitrary JavaScript code through which remote code execution can be achieved. A patch for this issue is available at commit f1af78573a0ef51d6ef6a0bc4080cddc8f30a545. Other mitigation strategies include implementing rigorous input sanitization for all Markdown content and utilizing a secure Markdown parser that appropriately escapes or strips potentially dangerous content.

Exploits (2)

nomisec WRITEUP 3 stars
by sh3bu · poc
https://github.com/sh3bu/CVE-2024-41662
github WRITEUP
by sh3bu · poc
https://github.com/sh3bu/CVE-disclosures/tree/main/CVE-2024-41662

References (2)

Scores

CVSS v3 8.6
EPSS 0.1224
EPSS Percentile 93.9%
Attack Vector LOCAL
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation poc
Automatable no
Technical Impact total

Details

CWE
CWE-79
Status published
Products (1)
vnote_project/vnote < 3.18.1
Published Jul 24, 2024
Tracked Since Feb 18, 2026