Stored XSS in notes Title in zadam/trilium
Dec 25th 2022
Stored XSS Vulnerability was found while a user creates a new Note & Enter the Name for the Note. The Title of the Note gets directly rendered at "Note Map" Functionality which is leading to HTML injection and Cross site scripting stored & reflected every time the user opens the note map.
Proof of Concept
1. download the latest version on any distro, for PoC purpose I have downloaded version 0.57.5 for windows [link](https://github.com/zadam/trilium/releases/download/v0.58.0-beta/trilium-windows-x64-0.58.0-beta.zip) 2. Now, run the trilium.exe binary application. 3. Now create a new note 4. name the new note as "><img src="x" onerror=alert(1337) /> 5. Now visit the "Note Map" functionality & click on the red dot or just wait for the alert to be prompted and XSS to be reflected as it's stored at the point. 6. Now the Alert box will pop up everytime as it's stored.
Video Proof of Concept & Screenshots for References: