Notesnook Web/Desktop Cross-Site Scripting Vulnerability Leading to Remote Code Execution

A cross-site scripting (XSS) vulnerability has been identified in Notesnook, a note-taking application, prior to version 3.3.11 on Web/Desktop. This stored XSS issue resides in the note history comparison viewer and can escalate to remote code execution (RCE) in the desktop application. The vulnerability is triggered when an attacker-controlled note header is rendered using 'dangerouslySetInnerHTML' without proper sanitization. In the desktop app, this issue is compounded by Electron's configuration, which allows for node integration and lacks context isolation, enabling the execution of malicious scripts with Node.js privileges.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting in all platforms, with a significant escalation to remote code execution in the desktop application due to improper Electron renderer configuration.

Reproduction

To reproduce this vulnerability, create a note with a malicious payload in the title on an attacker-controlled account. After saving the note to generate a history entry, export the note as a backup file and send it to a victim. Once the victim restores the backup and opens the note history, the malicious title will be executed as JavaScript, taking advantage of the Electron environment to achieve remote code execution.

Remediation

Users can update to Notesnook version 3.3.11 or later, where this vulnerability has been patched.