{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/vendors/note-mark/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Note Mark"],"_cs_severities":["high"],"_cs_tags":["xss","web-application","github"],"_cs_type":"advisory","_cs_vendors":["Note Mark"],"content_html":"\u003cp\u003eA stored same-origin XSS vulnerability has been identified in Note Mark, specifically affecting versions prior to commit \u003ccode\u003e6bb62842ccb9\u003c/code\u003e on April 11, 2026. This vulnerability allows an authenticated user to upload a crafted HTML, SVG, or XHTML file as a note asset. Due to the application's failure to set a safe content type and lacking the \u003ccode\u003enosniff\u003c/code\u003e header, a victim's browser can sniff the file and execute its active content. This gives the attacker the ability to execute JavaScript within the victim's authenticated session, potentially compromising private notes, books, profile data, and authenticated API actions. The vulnerability is triggered when a victim opens the malicious asset URL, requiring user interaction. This issue poses a significant risk to deployments allowing asset uploads, as it allows for cross-user data compromise.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker obtains a valid user account on a Note Mark instance.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTML, SVG, or XHTML file containing XSS payload (e.g., \u003ccode\u003e\u0026lt;script\u0026gt;fetch('/api/notes').then(r =\u0026gt; r.json()).then(data =\u0026gt; console.log(data))\u0026lt;/script\u0026gt;\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe attacker uploads the malicious file as a note asset using the Note Mark web interface or API, exploiting the unrestricted asset upload.\u003c/li\u003e\n\u003cli\u003eThe Note Mark server stores the file without properly setting the \u003ccode\u003eContent-Type\u003c/code\u003e header (it defaults to empty).\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a URL pointing to the uploaded asset, using the \u003ccode\u003e/api/notes/{noteID}/assets/{assetID}\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eThe attacker distributes the malicious URL to a victim (e.g., via phishing or social engineering).\u003c/li\u003e\n\u003cli\u003eThe victim clicks the link, causing their browser to request the asset.\u003c/li\u003e\n\u003cli\u003eThe browser, due to the missing \u003ccode\u003eContent-Type\u003c/code\u003e and lack of \u003ccode\u003eX-Content-Type-Options: nosniff\u003c/code\u003e, sniffs the content as HTML/SVG and executes the embedded JavaScript in the victim's authenticated session, granting the attacker access to Note Mark API actions as the victim.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this XSS vulnerability can have significant consequences. An attacker could potentially access or modify a victim's private notes, books, and profile data. Furthermore, the attacker could perform authenticated API actions on behalf of the victim, leading to further data breaches or unauthorized modifications. This vulnerability impacts any deployment allowing asset uploads and any user who can be induced to open a malicious asset URL.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade to Note Mark version \u003ccode\u003e0.0.0-20260411145018-6bb62842ccb9\u003c/code\u003e or later to incorporate the patch that addresses this vulnerability (reference: Affected Packages in the overview).\u003c/li\u003e\n\u003cli\u003eImplement strict content type validation on asset uploads to ensure that only safe file types are allowed (related to Attack Chain step 3).\u003c/li\u003e\n\u003cli\u003eConfigure the web server to send the \u003ccode\u003eX-Content-Type-Options: nosniff\u003c/code\u003e header for all responses to prevent browsers from MIME-sniffing responses (related to Attack Chain step 8).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Note Mark Asset Upload with HTML Content\u003c/code\u003e to identify potentially malicious asset uploads (reference: Sigma rule below).\u003c/li\u003e\n\u003cli\u003eReview and audit the asset delivery route (\u003ccode\u003ehandlers/assets.go:40\u003c/code\u003e) to ensure proper security controls are in place.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-09T12:00:00Z","date_published":"2024-01-09T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-note-mark-xss/","summary":"A stored same-origin XSS vulnerability in Note Mark allows an authenticated user to upload malicious HTML, SVG, or XHTML files as note assets, leading to arbitrary code execution in a victim's browser due to missing content type restrictions and resulting in potential access to private notes, books, and authenticated API actions.","title":"Note Mark Stored XSS via Unrestricted Asset Upload","url":"https://feed.craftedsignal.io/briefs/2024-01-note-mark-xss/"}],"language":"en","title":"CraftedSignal Threat Feed - Note Mark","version":"https://jsonfeed.org/version/1.1"}