THREATINT

We use these services and cookies to improve your user experience. You may opt out if you wish, however, this may limit some features on this site.

Please see our statement on Data Privacy.

Fathom (Privacy friendly web analytics)
Zendesk (Helpdesk and Chat)

Ok

Home | EN
Support
CVE
PUBLISHED

CVE-2024-39904

Code Execution Vulnerability via Local File Path Traversal in Vnote

AssignerGitHub_M
Reserved2024-07-02
Published2024-07-11
Updated2024-07-11

Description

VNote is a note-taking platform. Prior to 3.18.1, a code execution vulnerability existed in VNote, which allowed an attacker to execute arbitrary programs on the victim's system. A crafted URI can be used in a note to perform this attack using file:/// as a link. For example, file:///C:/WINDOWS/system32/cmd.exe. This allows attackers to execute arbitrary programs by embedding a reference to a local executable file such as file:///C:/WINDOWS/system32/cmd.exe and file:///C:/WINDOWS/system32/calc.exe. This vulnerability can be exploited by creating and sharing specially crafted notes. An attacker could send a crafted note file and perform further attacks. This vulnerability is fixed in 3.18.1.



HIGH: 8.8CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Problem types

CWE-73: External Control of File Name or Path

Product status

< 3.18.1
affected

References

https://github.com/vnotex/vnote/security/advisories/GHSA-vhh5-8wcv-68gj

https://github.com/vnotex/vnote/commit/3477469b669708ff547037fda9fc2817870428aa

cve.org CVE-2024-39904

nvd.nist.gov CVE-2024-39904

Download JSON

Share this page
https://cve.threatint.com/CVE/CVE-2024-39904
© Copyright 2024 THREATINT. Made in Cyprus with +