Note Mark is an open-source note-taking application. In versions 0.19.1 and prior, the asset download endpoint at /api/notes/{noteID}/assets/{assetID} is registered without authentication middleware, and the backend query does not verify ownership or book visibility. An unauthenticated user who knows a valid note ID and asset ID can retrieve the full contents of private note assets without authentication, regardless of whether the associated book is public or private.
This issue has been fixed in version 0.19.2.
Attack Parameters
Attack Vector
Network
Can be exploited remotely
Attack Complexity
High
Difficult to exploit
Privileges Required
None
No privileges needed
User Interaction
None
No user interaction needed
Impact Assessment
Confidentiality
High
Complete data leak
Integrity
None
No data modification
Availability
None
No disruption
CVSS Vector v3.1
Weakness Type (CWE)
References 3
https://github.com/enchant97/note-mark/commit/6593898855add151eb9965d96998b05e1…
security-advisories@github.com
https://github.com/enchant97/note-mark/releases/tag/v0.19.2
security-advisories@github.com
https://github.com/enchant97/note-mark/security/advisories/GHSA-p5w6-75f9-cc2p
security-advisories@github.com