Note Mark Unauthenticated Access to Soft-Deleted Public Book Content Vulnerability

A vulnerability in Note Mark, an open-source note-taking application, allows unauthenticated users to access notes and assets from soft-deleted public books. This issue affects versions through 0.19.2. The vulnerability arises because the soft-delete function does not properly filter raw SQL joins used in note and asset queries, leaving content accessible via specific API endpoints.

Impact

This vulnerability leads to unauthorized access to notes and assets from soft-deleted public books, allowing unauthenticated users to read content that should have been removed.

Reproduction

To reproduce this vulnerability, create a public book and add a note with content. After soft-deleting the book, the note content remains accessible through the note ID or slug path via the appropriate API endpoints, despite the book being deleted.

Remediation

Users can update to Note Mark version 0.19.3, which addresses this vulnerability by ensuring that soft-deleted books are properly filtered out in the visibility checks for notes and assets.