CVE-2024-23997

Vulnerability

The yana note-taking application by Lukas Bach, versions prior to and including 1.0.16, contains a stored cross-site scripting (XSS) vulnerability in the file src/electron-main.ts. This allows an attacker to inject arbitrary JavaScript code that executes in the context of the Electron main process. The vulnerability is accessible without any special permissions or configurations beyond standard usage of the application.

Exploitation

An attacker can exploit this vulnerability by crafting a specially crafted note or task that includes malicious JavaScript. When the victim opens the crafted note within yana, the injected script executes. The attacker does not require any network position or authentication; the victim only needs to be running a vulnerable version of yana and view the attacker's content. The public proof-of-concept [1] demonstrates the exploitation steps.

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the Electron main process, which has full access to Node.js APIs. This can lead to complete compromise of the user's system, including data exfiltration, file access, and installation of malware. The impact is severe as the attacker can bypass typical web sandbox restrictions.

Mitigation

As of the publication date, no patched version has been released. Users should consider removing the application or disabling untrusted content. The only mitigation is to avoid using yana until a fix is issued. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog.