VYPR
← All advisories
Unrated severityNVD Advisory· Published Jan 1, 2021· Updated Aug 4, 2024

CVE-2020-35717

CVE-2020-35717

Description

zonote through 0.4.0 allows XSS via crafted notes, leading to remote code execution due to enabled Node.js integration.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

zonote through 0.4.0 allows XSS via crafted notes, leading to remote code execution due to enabled Node.js integration.

Vulnerability

zonote is a cross-platform desktop note-taking app built with Electron. Versions through 0.4.0 have webPreferences configured with nodeIntegration: true, which allows JavaScript executed in notes to access Node.js APIs. A crafted note can inject arbitrary JavaScript via cross-site scripting (XSS), enabling remote code execution. [1][2]

Exploitation

An attacker crafts a malicious .znt file containing an XSS payload. The victim imports the file into zonote via Menu > Open. Hovering over links within the imported notes triggers the XSS. No authentication is required; user interaction is limited to importing the file and hovering over the malicious links. [2]

Impact

Successful exploitation allows arbitrary code execution on the victim's machine with the privileges of the zonote process. This can lead to full system compromise, data exfiltration, or further attacks. [1][2]

Mitigation

The repository has been archived and the owner stated no intention to fix the vulnerability. No patch exists. Users should avoid using zonote versions through 0.4.0 and consider alternative note-taking applications. [1][2]

References
  1. GitHub - zonetti/zonote: Cross-platform desktop note-taking app. Sticky notes with Markdown and Tabs. All in one .txt file.
  2. GitHub - hmartos/cve-2020-35717: Showcase repository for CVE-2020-35717

AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2

Patches

0

No patches discovered yet.

Vulnerability mechanics

No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.

References

2

News mentions

0

No linked articles in our index yet.