cve/2020/CVE-2020-35717.md

CVE-2020-35717

Description

zonote through 0.4.0 allows XSS via a crafted note, with resultant Remote Code Execution (because nodeIntegration in webPreferences is true).

POC

Reference

• https://medium.com/bugbountywriteup/remote-code-execution-through-cross-site-scripting-in-electron-f3b891ad637
• https://medium.com/bugbountywriteup/remote-code-execution-through-cross-site-scripting-in-electron-f3b891ad637

Github

• https://github.com/ARPSyndicate/cvemon
• https://github.com/developer3000S/PoC-in-GitHub
• https://github.com/hectorgie/PoC-in-GitHub
• https://github.com/hmartos/cve-2020-35717
• https://github.com/nomi-sec/PoC-in-GitHub