Member-only story
Remote Code Execution Through Cross-Site Scripting In Electron Apps
CVE-2020–35717 — RCE through XSS in zonote Electron App
For those unfamiliar with the term, CVE stands for Common Vulnerability and Exposure. Each CVE record contains a standard identifier, a brief description, and references to related vulnerability reports and advisories. MITRE corporation keeps a list of records with all publicly disclosed vulnerabilities that is free for use.
The CVE list feeds the U.S. National Vulnerability Database (NVD) which also provides a score for each CVE. This score (called CVSS) is divided into three categories —Base, Temporal, and Environmental— and defines the impact of the vulnerability.
zonote is a cross-platform desktop note-taking app. Although the most basic use is saving a simple text note, you can use Markdown code or embed any kind of HTML.
This last fact made me think if zonote would be vulnerable to Cross-Site Scripting. Cross-Site Scripting or XSS is one of the most frequent vulnerabilities in web applications…
