InfoSec Write-ups

A collection of write-ups from the best hackers in the world on topics ranging from bug bounties and CTFs to vulnhub machines, hardware challenges and real life encounters. Subscribe to our weekly newsletter for the coolest infosec updates: https://weekly.infosecwriteups.com/

Follow publication

22.6k+ GitHub Stars Note-Taking App Hit by XSS Vulnerability

--

CVE-2023–3067: Stored Cross Site Scripting Vulnerability on renowned note-taking thick client app Trillium

https://github.com/zadam/trilium/wiki/images/dark-theme.png
Trilium Notes is a Hierarchical Note-Taking App for Knowledge Bases

Introduction

Every digital creation has flaws, and in this blog, we’ll look at a recent discovery that shook the foundation of this popular open-source hierarchical note-taking application. While testing the thick client application, I discovered stored cross-site scripting vulnerabilities in the Title section, which appeared in an unusual place.

Understanding CVE-2023–3067: Trilium Notes XSS Issue

Description:

A vulnerability was discovered while adding new notes in Trilium Notes where the note titles were immediately shown in the “Note Map” function, possibly permitting HTML injection and cross-site scripting (XSS) attacks on both saved and reflected data. The need for security vigilance cannot be overstated.

Affected Versions: The vulnerability is present in versions of Trilium Notes stored in the GitHub repository zadam/trilium prior to version 0.59.4

Steps to Reproduce:

  1. Begin by downloading the vulnerable version (0.58.0-beta for Windows) from this link.
  2. Execute the trilium.exe application.
  3. Create a new note within Trillium.
  4. Manipulate the Note Title: Name the new note as "><img src="x" onerror=alert(1337) />.
  5. Visit the “Note Map”: Access the “Note Map” functionality within Trillium.
  6. Exploit Triggered: Click on the red dot in the “Note Map” or simply wait for the alert to appear. The XSS attack is now reflected and stored, causing the alert box to pop up every time.

Cross-Site-Scripting Payload used: "><img src="x" onerror=alert(1337) />

Screenshot:

When the Red Dot in the Note Map was clicked, the stored XSS was executed, and an alert box appeared.

📽️Video PoC

https://drive.google.com/drive/folders/1Wt_BhUngMjFo3L2_7RhA4gFnYyJTHd5Z

What did I do Next?

I responsibly reported the vulnerability to the huntr.dev platform, which then engaged with the administrator of Trilium’s open-source repository. The report was meticulously validated, assigned an appropriate severity score, and promptly addressed through a new software release.

Subsequently, I was honored with the assignment of a CVE for my contribution to the security of the software ecosystem.

Officially disclosed report:

Official Announcements:

CVE-2023–3067 Detail:

Thank you for reading ✌🏻

Take care, fellow hackers!

Happy Hunting :>

You can connect with me on LinkedIn, or Twitter for more such insights!

--

--

Published in InfoSec Write-ups

A collection of write-ups from the best hackers in the world on topics ranging from bug bounties and CTFs to vulnhub machines, hardware challenges and real life encounters. Subscribe to our weekly newsletter for the coolest infosec updates: https://weekly.infosecwriteups.com/

Written by Raiders

Smart Contract Security | Technical Writing | DevSecOps | Penetration Testing | AppSec | Building https://web3sec.news/

No responses yet