XSS to RCE found in Trilium in zadam/trilium

Valid

Reported on

Mar 24th 2023

Vulnerability Type

Remote Code Execution (RCE)

Authentication Required?

No

Affected Location

  • Search Notes > Search Ancestor (Output)
  • Jump to Note > Search Note (Output)
  • New Tab > Search Notes (Output)

Issue Summary

The application contains a vulnerability where HTML characters within the title name of notes are not properly sanitized, leaving it susceptible to cross-site scripting (XSS) attacks. If a victim searches for specific keywords, this vulnerability can be exploited, potentially leading to code execution. Notably, since the application is developed using Electron with ContextIsolation disabled and NodeIntegration enabled, the severity of this vulnerability could enable an attacker to execute commands on the system where the application is running.

Recommendation

Implement input validation and sanitization in the output of searching to ensure that HTML characters are properly escaped and cannot be used to trigger XSS attacks. Ensure to set NodeIntegration to 'FALSE' and ContextIsolation to 'TRUE' as this could protect against RCE attacks. Stay up-to-date with security patches and updates for all third-party libraries and dependencies used by the application.

Credits

Ali Radzali (muhammadali.radzali@baesystems.com)

Issue Reproduction

Create a new note and insert the payload below into the title of the note.

<img src=x onerror=require(`child_process`).execSync(`/usr/bin/mate-calc`)

insert-payload.png

NOTE: Triggering the XSS payload is not limited to using double quotes. In the case of this particular payloads, only the characters `, 1, #, ", > can be used to trigger the XSS.

Search Notes (Ancestor)

Click on "Search Notes" on the left sidebar and search for double quotes ("). This should trigger the XSS payload in the title of the note.

xss-searchnotes.png

Jump to Notes (Note)

Click on "Jump to Note" on the left sidebar and search for double quotes ("). This should trigger the XSS payload in the title of the note.

xss-jumptonote.png

New Tab (Note)

Create a new tab and search for double quotes ("). This could trigger the XSS payload in the title of the note.

xss-newtab.png

Impact

This vulnerability allows an an attacker to execute arbitrary code on the Trilium App if a victim searches for specific keywords

We are processing your report and will contact the zadam/trilium team within 24 hours. 2 months ago
We have contacted a member of the zadam/trilium team and are waiting to hear back 2 months ago
zadam modified the Severity from High (7) to High (7) 18 days ago
zadam validated this vulnerability 18 days ago
Muhammad Ali has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Muhammad Ali
18 days ago

Researcher

Thank you @zadam !

Here the commit that fix the issue sent by the maintainer: https://github.com/zadam/trilium/commit/4c3fcc3ea6f37debcb87ac1a7f5698c27be0e67b

Dear @admin , maintainer had responded and confirmed the fixed, could you please follow up on the CVE creation? Thank you.

Ben Harvie marked this as fixed in v0.59.4 with commit 4c3fcc 11 days ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
Ben Harvie published this vulnerability 11 days ago
Muhammad Ali
9 days ago

Researcher

Dear @admin,

It was mentioned that validated report from this repo should get me a CVE.

Could you please follow up on the CVE creation.

Thank you.

Ben Harvie
3 days ago

Admin

We would need the maintainer to confirm they wish to have a CVE assigned.

@maintainer?

to join this conversation