Note Mark Stored Cross-Site Scripting Vulnerability via Unrestricted Asset Upload

A stored cross-site scripting vulnerability has been identified in Note Mark, an open-source note-taking application, in versions through 0.19.1. The issue arises because the asset delivery handler serves uploaded files inline and relies on magic-byte detection for content type. This method fails to recognize text-based formats such as HTML, SVG, or XHTML, resulting in these files being delivered with an empty Content-Type, no X-Content-Type-Options: nosniff header, and inline disposition. Consequently, browsers can sniff and execute active content. An authenticated user can exploit this by uploading an HTML or SVG file containing JavaScript as a note asset. When a victim accesses the asset URL, the script executes under the application's origin, with access to the victim's authenticated session and API actions.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where uploaded assets containing active scripts are executed in the context of the application origin, potentially leading to unauthorized access to private notes and profile data via the application's API.

Reproduction

To reproduce this vulnerability, upload a text-based active content file, such as HTML or SVG, as a note asset. Then, open the served asset URL in a browser. The uploaded script will execute in the context of the application, demonstrating the cross-site scripting vulnerability.

Remediation

Users can update to Note Mark version 0.19.2, which addresses this vulnerability by implementing proper content type handling and removing the liquid parser from the render.