Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2024-41662 PoC — VNote vulnerable to Markdown XSS, which leads to RCE

Source
https://github.com/sh3bu/CVE-2024-41662
Associated Vulnerability
Title:VNote vulnerable to Markdown XSS, which leads to RCE (CVE-2024-41662)
Description:VNote is a note-taking platform. A Cross-Site Scripting (XSS) vulnerability has been identified in the Markdown rendering functionality of versions 3.18.1 and prior of the VNote note-taking application. This vulnerability allows the injection and execution of arbitrary JavaScript code through which remote code execution can be achieved. A patch for this issue is available at commit f1af78573a0ef51d6ef6a0bc4080cddc8f30a545. Other mitigation strategies include implementing rigorous input sanitization for all Markdown content and utilizing a secure Markdown parser that appropriately escapes or strips potentially dangerous content.
Description
Markdown XSS leads to RCE in VNote version <=3.18.1
Readme
# CVE-2024-41662
Markdown XSS leads to RCE in VNote version &lt;=3.18.1

**Severity :** **High** (**8.6**)

**CVSS score :** `CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H` 

## Summary :

A **Cross-Site Scripting (XSS)** vulnerability was identified in the Markdown rendering functionality of the VNote note-taking application. This vulnerability allows the injection and execution of arbitrary JavaScript code, potentially leading to **Remote Code Execution (RCE)**.

## Steps to Reproduce :

1. Create a note in Vnote.
2. Enter the following JS payload in the app,
   
```html
<img src="" onerror="alert('XSS') alt="alt text">
```
3. Press **CTRL+T** to render the markdown content.
4. Observe the JavaScript payload executing an alert popup.

![image](https://github.com/user-attachments/assets/8124c2a0-e5df-461d-af11-991d918cbb87)

There is no whitelisting or output encoding performed for the given payload, resulting in an XSS vulnerability.

> NOTE: The application properly validates some JavaScript payloads by performing output encoding in the app. However, it fails to validate in certain cases.

![image](https://github.com/user-attachments/assets/fea2b50d-0cd1-441d-8d76-6478b7c26c86)

![image](https://github.com/user-attachments/assets/e836ab2a-ca9c-4e45-8ab6-013fb37d58fb)

5. Further an attacker can achieve **Remote Code execution** using the following payload.

```html
<iframe src="../../../../../../../../Windows/System32/cmd.exe"  />
```
![image](https://github.com/user-attachments/assets/07469a14-0bad-494d-9033-55a8cfbffc93)


## Affected Version Details :

- <=3.18.1

## Impact :

This vulnerability can be exploited by an attacker to gain unauthorized access to the system, execute arbitrary commands, and potentially take control of the affected machine. This could lead to system compromise and other severe security incidents.

## Mitigation :

- Implement rigorous input sanitization for all Markdown content.
- Utilize a secure Markdown parser that appropriately escapes or strips potentially dangerous content.

## References :

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-41662
File Snapshot

 [4.0K]  /data/pocs/03fd01776eb0bfe2e34252c8117a8777541e3b2a
└── [2.1K]  README.md

0 directories, 1 file
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →