Notesnook Web Clipper Stored Cross-Site Scripting Vulnerability Leading to Remote Code Execution

A stored cross-site scripting vulnerability has been identified in the Notesnook Web Clipper, prior to version 3.3.11 on Web/Desktop and 3.3.17 on Android/iOS. This vulnerability can be escalated to remote code execution in the desktop application. The issue arises because the clipper retains attacker-controlled attributes from the source page's root element and embeds them into the web-clip HTML. When the clip is accessed later, Notesnook renders this HTML into a same-origin, unsandboxed iframe using 'contentDocument.write(...)'. Event-handler attributes such as 'onload', 'onclick', and 'onmouseover' execute within the Notesnook origin. In the desktop app, this configuration allows for remote code execution, as Electron is set with 'nodeIntegration: true' and 'contextIsolation: false'.

Impact

Exploitation of this vulnerability introduces stored cross-site scripting across all platforms and remote code execution in the desktop application.

Reproduction

To reproduce this vulnerability, an attacker must first create a malicious HTML page that includes event-handler attributes such as 'onload'. This page should be hosted on a server under the attacker's control. The victim, using a browser with the Notesnook Web Clipper extension installed, must open the malicious page. Once the page is loaded, the Web Clipper can be used to save a clip of the page, which will include the injected event-handlers. When this clip is later accessed in the Notesnook desktop application, the stored XSS will be executed, leading to remote code execution.

Remediation

Users should update to Notesnook version 3.3.11 or later on Web/Desktop, and version 3.3.17 or later on Android/iOS.