Vulnerability Details CVE-2020-35717
zonote through 0.4.0 allows XSS via a crafted note, with resultant Remote Code Execution (because nodeIntegration in webPreferences is true).
Exploit prediction scoring system (EPSS) score
EPSS Score 0.063
EPSS Ranking 90.5%
CVSS Severity
CVSS v3 Score 9.0
CVSS v2 Score 3.5
References
- https://github.com/hmartos/cve-2020-35717
- https://github.com/zonetti/zonote
- https://medium.com/bugbountywriteup/remote-code-execution-through-cross-site-scripting-in-electron-f3b891ad637
- https://www.electronjs.org/apps/zonote
- https://github.com/hmartos/cve-2020-35717
- https://github.com/zonetti/zonote
- https://medium.com/bugbountywriteup/remote-code-execution-through-cross-site-scripting-in-electron-f3b891ad637
- https://www.electronjs.org/apps/zonote
Products affected by CVE-2020-35717
-
cpe:2.3:a:electronjs:zonote:0.1.0
-
cpe:2.3:a:electronjs:zonote:0.1.1
-
cpe:2.3:a:electronjs:zonote:0.1.2
-
cpe:2.3:a:electronjs:zonote:0.1.3
-
cpe:2.3:a:electronjs:zonote:0.3.2
-
cpe:2.3:a:electronjs:zonote:0.4.0