Vendor
A stored same-origin XSS vulnerability in Note Mark allows an authenticated user to upload malicious HTML, SVG, or XHTML files as note assets, leading to arbitrary code execution in a victim's browser due to missing content type restrictions and resulting in potential access to private notes, books, and authenticated API actions.