XSS to Remote Code Execution vulnerability (via "nodeIntegration: true")
Opened this issue · 1 comments
Vulnerability:
nodeIntegration is set to true, which allows access to node features from the renderer process.
This can allow an attacker to escape out of the renderer process and execute code on the target’s computer.
How to reproduce the vulnerability:
- Simply create a new note.
- Embed the following code into the note:
<a onmouseover="alert('lets do some calculus :D'); try{ const {shell} = require('electron'); shell.openExternal('file:C:/Windows/System32/calc.exe') }catch(e){alert(e)}">Open Calculator</a> - Hover over the "Open Calculator" text.
Video Demonstration:
202308171930.mp4
Attacker to Victim Scenario:
An attacker can simply create a malicious markdown file, CheckOutMyNotes.md, and make it publicly available for download or trick the victims to downloading and opening the file with the knowte application.
Impact:
I have showcased my payload to open the calculator application as proof of concept for Remote Code Execution. However, alternative payloads could enable the attacker to achieve remote access to the target's system. Consequently, the potential impact on confidentiality, integrity, and availability stemming from this vulnerability should be categorized as significant.
@ChampionLeake Thank you for reporting this and for the detailed instructions to reproduce it. I've planned to fix this in the next release.