{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/note-mark/backend/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["note-mark/backend"],"_cs_severities":["high"],"_cs_tags":["path-traversal","rce","web-application"],"_cs_type":"advisory","_cs_vendors":["enchant97"],"content_html":"\u003cp\u003eNote Mark versions 0.19.2 and earlier contain an arbitrary file write vulnerability that leads to remote code execution. Authenticated users can upload assets to notes via \u003ccode\u003ePOST /api/notes/{noteID}/assets\u003c/code\u003e, with the asset filename taken directly from the \u003ccode\u003eX-Name\u003c/code\u003e HTTP header. The application fails to sanitize this filename, storing it directly in the database. When an administrator subsequently runs the data export CLI commands (\u003ccode\u003enote-mark migrate export-v1\u003c/code\u003e or \u003ccode\u003enote-mark migrate export\u003c/code\u003e), the stored asset name is passed into \u003ccode\u003efilepath.Join()\u003c/code\u003e calls. An attacker-controlled asset name containing directory traversal sequences (e.g., \u003ccode\u003e../\u003c/code\u003e) allows writing files to arbitrary locations, which can be escalated to RCE by overwriting system binaries, such as \u003ccode\u003e/bin/bash\u003c/code\u003e. The vulnerability is present in Note Mark\u0026rsquo;s backend component.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker registers an account and authenticates to the Note Mark application.\u003c/li\u003e\n\u003cli\u003eAttacker creates a notebook using a \u003ccode\u003ePOST\u003c/code\u003e request to \u003ccode\u003e/api/books\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eAttacker creates a note within the notebook using a \u003ccode\u003ePOST\u003c/code\u003e request to \u003ccode\u003e/api/books/\u0026lt;BOOK_ID\u0026gt;/notes\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eAttacker uploads an asset with a malicious payload and a path traversal filename in the \u003ccode\u003eX-Name\u003c/code\u003e header to \u003ccode\u003e/api/notes/\u0026lt;NOTE_ID\u0026gt;/assets\u003c/code\u003e. The \u003ccode\u003eX-Name\u003c/code\u003e header contains a path traversal sequence targeting a sensitive file like \u003ccode\u003e/bin/bash\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe application stores the unsanitized filename (including the path traversal) in the database.\u003c/li\u003e\n\u003cli\u003eAn administrator triggers a data export using \u003ccode\u003enote-mark migrate export-v1 --export-dir /data/backup\u003c/code\u003e or \u003ccode\u003enote-mark migrate export\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe export process uses the unsanitized filename in \u003ccode\u003efilepath.Join()\u003c/code\u003e, causing a file to be written to the attacker-specified location (e.g., overwriting \u003ccode\u003e/bin/bash\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe next time \u003ccode\u003ebash\u003c/code\u003e is invoked, the attacker\u0026rsquo;s payload executes, resulting in code execution as root.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows an attacker to overwrite arbitrary files on the system with root privileges, leading to complete system compromise. Overwriting \u003ccode\u003e/bin/bash\u003c/code\u003e results in RCE the next time any user invokes \u003ccode\u003ebash\u003c/code\u003e. The number of affected installations is unknown, but the vulnerability exists in version 0.19.2 and earlier.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule to detect asset uploads with path traversal sequences in the \u003ccode\u003eX-Name\u003c/code\u003e header.\u003c/li\u003e\n\u003cli\u003eApply \u003ccode\u003efilepath.Base()\u003c/code\u003e to the \u003ccode\u003eX-Name\u003c/code\u003e header value in \u003ccode\u003ebackend/handlers/assets.go\u003c/code\u003e before storing it in the database, as described in the advisory.\u003c/li\u003e\n\u003cli\u003eApply \u003ccode\u003efilepath.Base()\u003c/code\u003e to \u003ccode\u003easset.Name\u003c/code\u003e in \u003ccode\u003ebackend/cli/migrate.go\u003c/code\u003e at lines 328 and 223 before using it in file path construction.\u003c/li\u003e\n\u003cli\u003eUpgrade to a patched version of Note Mark which addresses CVE-2026-44522.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-09T15:00:00Z","date_published":"2024-01-09T15:00:00Z","id":"/briefs/2024-01-note-mark-rce/","summary":"Note Mark is vulnerable to arbitrary file write via path traversal in asset names, leading to remote code execution by overwriting system binaries such as /bin/bash.","title":"Note Mark Arbitrary File Write via Path Traversal Leads to Remote Code Execution","url":"https://feed.craftedsignal.io/briefs/2024-01-note-mark-rce/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["note-mark/backend"],"_cs_severities":["critical"],"_cs_tags":["jwt","account-takeover","vulnerability"],"_cs_type":"advisory","_cs_vendors":["GitHub"],"content_html":"\u003cp\u003eNote Mark is vulnerable to a critical security flaw related to the handling of JWT secrets. Specifically, the application does not enforce a minimum length or entropy on the \u003ccode\u003eJWT_SECRET\u003c/code\u003e configuration value. This means that the application accepts any base64-decodable secret, regardless of its size, even secrets as short as a single byte. According to RFC 7518 Section 3.2, HS256 keys must be at least 256 bits (32 bytes), but this is not enforced in Note Mark. This vulnerability, identified as CVE-2026-44523, allows attackers to compromise user accounts completely.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eDeploy a vulnerable instance of Note Mark with a weak \u003ccode\u003eJWT_SECRET\u003c/code\u003e (less than 32 bytes after base64 decoding).\u003c/li\u003e\n\u003cli\u003eAn attacker registers a new user account on the vulnerable Note Mark instance.\u003c/li\u003e\n\u003cli\u003eThe attacker captures a valid \u003ccode\u003eAuth-Session-Token\u003c/code\u003e cookie from the registration or login process.\u003c/li\u003e\n\u003cli\u003eThe attacker uses offline brute-force or dictionary attacks to crack the weak signing secret, such as using a Python script to decode the token with different secret values.\u003c/li\u003e\n\u003cli\u003eOnce the secret is recovered, the attacker forges a new JWT for an arbitrary user UUID, potentially including an administrator account, and extends the expiry time.\u003c/li\u003e\n\u003cli\u003eThe attacker sends the forged token in a request to the server.\u003c/li\u003e\n\u003cli\u003eThe server incorrectly validates the forged token due to the compromised secret.\u003c/li\u003e\n\u003cli\u003eThe server returns a 200 OK response, authenticating the attacker as the targeted user, granting unauthorized access to sensitive data and functionality.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows an attacker to perform full account takeover across the entire Note Mark application. The attacker can forge valid JWTs for any user, including administrators, without needing to know any actual user credentials. There is no server-side detection or rate-limiting possible, allowing the attacker to gain complete control over user accounts and data, potentially leading to data breaches, unauthorized modifications, and complete system compromise.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnforce a minimum length of 32 bytes (256 bits) for JWT secrets after base64 decoding to prevent brute-force attacks. This directly addresses the core vulnerability (CVE-2026-44523).\u003c/li\u003e\n\u003cli\u003eReject weak secrets during configuration parsing within the \u003ccode\u003eBase64Decoded.UnmarshalText\u003c/code\u003e function or during config validation to prevent deployment with insecure secrets.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Weak JWT Secret Usage\u003c/code\u003e to identify potentially vulnerable Note Mark instances that do not meet the minimum key size requirements.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"/briefs/2024-01-note-mark-jwt-vuln/","summary":"Note Mark is vulnerable to a JWT secret weakness that allows for full account takeover via token forgery by accepting secrets as short as 1 byte, enabling attackers to crack the signing secret offline and forge valid JWTs for any user.","title":"Note Mark JWT Secret Weakness Allows Account Takeover","url":"https://feed.craftedsignal.io/briefs/2024-01-note-mark-jwt-vuln/"}],"language":"en","title":"CraftedSignal Threat Feed — Note-Mark/Backend","version":"https://jsonfeed.org/version/1.1"}