Notesnook is a note-taking app. Prior to version 3.3.11 on Web/Desktop and 3.3.17 on Android/iOS, a stored XSS in the Web Clipper rendering flow can be escalated to remote code execution in the desktop app. The root cause is that the clipper preserves attacker-controlled attributes from the source page’s root element and stores them inside web-clip HTML.
When the clip is later opened, Notesnook renders that HTML into a same-origin, unsandboxed iframe using `contentDocument.write(...)`. Event-handler attributes such as `onload`, `onclick`, or `onmouseover` execute in the Notesnook origin. In the desktop app, this becomes RCE because Electron is configured with `nodeIntegration: true` and `contextIsolation: false`.
Version 3.3.11 Web/Desktop and 3.3.17 on Android/iOS patch the issue.
Attack Parameters
Impact Assessment
CVSS Vector v3.1
Weakness Type (CWE)
Vulnerable Products 3
| Configuration | From (including) | Up to (excluding) |
|---|---|---|
|
Streetwriters Notesnook_Desktop
cpe:2.3:a:streetwriters:notesnook_desktop:*:*:*:*:*:*:*:*
|
— |
3.3.11
|
|
Streetwriters Notesnook_Mobile
cpe:2.3:a:streetwriters:notesnook_mobile:*:*:*:*:*:android:*:*
|
— |
3.3.17
|
|
Streetwriters Notesnook_Mobile
cpe:2.3:a:streetwriters:notesnook_mobile:*:*:*:*:*:iphone_os:*:*
|
— |
3.3.17
|