Every digital creation has flaws, and in this blog, we’ll look at a recent discovery that shook the foundation of this popular open-source hierarchical note-taking application. While testing the thick client application, I discovered stored cross-site scripting vulnerabilities in the Title section, which appeared in an unusual place.
Understanding CVE-2023–3067: Trilium Notes XSS Issue
A vulnerability was discovered while adding new notes in Trilium Notes where the note titles were immediately shown in the “Note Map” function, possibly permitting HTML injection and cross-site scripting (XSS) attacks on both saved and reflected data. The need for security vigilance cannot be overstated.
Steps to Reproduce:
- Begin by downloading the vulnerable version (0.58.0-beta for Windows) from this link.
- Execute the
- Create a new note within Trillium.
- Manipulate the Note Title: Name the new note as
"><img src="x" onerror=alert(1337) />.
- Visit the “Note Map”: Access the “Note Map” functionality within Trillium.
- Exploit Triggered: Click on the red dot in the “Note Map” or simply wait for the alert to appear. The XSS attack is now reflected and stored, causing the alert box to pop up every time.
Cross-Site-Scripting Payload used:
"><img src="x" onerror=alert(1337) />
What did I do Next?
I responsibly reported the vulnerability to the huntr.dev platform, which then engaged with the administrator of Trilium’s open-source repository. The report was meticulously validated, assigned an appropriate severity score, and promptly addressed through a new software release.
Subsequently, I was honored with the assignment of a CVE for my contribution to the security of the software ecosystem.
Officially disclosed report:
Thank you for reading ✌🏻
Take care, fellow hackers!