Notesnook Stored Cross-Site Scripting Vulnerability Leading to Remote Code Execution

A stored cross-site scripting (XSS) vulnerability has been identified in Notesnook, a privacy-focused note-taking application. This issue exists in the note export process and can be escalated to remote code execution (RCE) in the desktop version of the app. The vulnerability affects Notesnook Web/Desktop versions prior to 3.3.15 and Notesnook iOS/Android versions prior to 3.3.20. The root cause lies in the export process, where note fields such as title, headline, and content are inserted into an HTML template without proper HTML escaping. When the note is exported to PDF, the application renders the HTML in an unsandboxed iframe, allowing injected scripts to execute in the Notesnook origin. In the desktop app, this configuration enables RCE because Electron is set to allow Node.js integration without context isolation.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting that can be transformed into arbitrary code execution in the Notesnook Desktop application. The injected JavaScript can access Node.js and Electron APIs, potentially leading to unauthorized file operations or command execution on the user's machine.

Reproduction

To reproduce this vulnerability, create a note with a title that includes unescaped HTML or JavaScript, such as a script tag. Once the note is saved, export it as a PDF. During the export process, Notesnook will render the note's HTML into an unsandboxed iframe, executing the injected script. In the desktop application, this script can access Node.js APIs, allowing for arbitrary code execution.

Remediation

Users can update to Notesnook Web/Desktop version 3.3.15 or Notesnook iOS/Android version 3.3.20 to address this vulnerability.