Many Notes Stored Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in Many Notes version 0.10.1. This issue allows malicious Markdown files to execute JavaScript when the files are viewed. The vulnerability arises because the application processes user content with a Markdown parser and attempts to sanitize it using DOMPurify. However, this sanitization is insufficient, as more sophisticated payloads can bypass the filter and execute scripts.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user viewing the Markdown file. This could lead to session hijacking, full account takeover, unauthorized access to sensitive data, and the injection of malware or phishing redirects into trusted pages.

Reproduction

To reproduce this vulnerability, upload a Markdown file containing a script tag, such as one including JavaScript code to display an alert. Once the file is uploaded, it will be stored and later displayed without proper sanitization. When the file is viewed, the JavaScript will execute, demonstrating the cross-site scripting vulnerability.

Remediation

Users can update to Many Notes version 0.10.2, which addresses this vulnerability by improving the sanitization process and adding validation for uploaded files. The update is available on the Many Notes GitHub Releases page.