22.6k+ GitHub Stars Note-Taking App Hit by XSS Vulnerability

9 months ago 50

Every digital creation has flaws, and in this blog, we’ll look at a recent discovery that shook the foundation of this popular open-source hierarchical note-taking application. While testing the thick client application, I discovered stored cross-site scripting vulnerabilities in the Title section, which appeared in an unusual place.


A vulnerability was discovered while adding new notes in Trilium Notes where the note titles were immediately shown in the “Note Map” function, possibly permitting HTML injection and cross-site scripting (XSS) attacks on both saved and reflected data. The need for security vigilance cannot be overstated.

Affected Versions: The vulnerability is present in versions of Trilium Notes stored in the GitHub repository zadam/trilium prior to version 0.59.4

Steps to Reproduce:

Begin by downloading the vulnerable version (0.58.0-beta for Windows) from this link.Execute the trilium.exe application.Create a new note within Trillium.Manipulate the Note Title: Name the new note as "><img src="x" onerror=alert(1337) />.Visit the “Note Map”: Access the “Note Map” functionality within Trillium.Exploit Triggered: Click on the red dot in the “Note Map” or simply wait for the alert to appear. The XSS attack is now reflected and stored, causing the alert box to pop up every time.

Cross-Site-Scripting Payload used: "><img src="x" onerror=alert(1337) />


When the Red Dot in the Note Map was clicked, the stored XSS was executed, and an alert box appeared.

📽️Video PoC


I responsibly reported the vulnerability to the huntr.dev platform, which then engaged with the administrator of Trilium’s open-source repository. The report was meticulously validated, assigned an appropriate severity score, and promptly addressed through a new software release.

Subsequently, I was honored with the assignment of a CVE for my contribution to the security of the software ecosystem.

Officially disclosed report:


Official Announcements:


CVE-2023–3067 Detail:


Thank you for reading ✌🏻

Take care, fellow hackers!

Happy Hunting :>

You can connect with me on LinkedIn, or Twitter for more such insights!

Read Entire Article