CVE-2021-43721

Name of the Vulnerable Software and Affected Versions Leanote version 2.7.0

Description The issue concerns a Cross Site Scripting (XSS) vulnerability in the markdown type note, which can lead to remote code execution. The payload uses a video tag with an onerror attribute set to a function that executes a command using require('child process').exec('calc'). This allows an attacker to execute arbitrary commands on the affected system.

Recommendations For Leanote version 2.7.0, update to a newer version that contains a fix for this issue. As a temporary workaround, consider disabling the markdown type note feature until a patch is available. Restrict access to the markdown editor to minimize the risk of exploitation. Avoid using the onerror attribute in the video tag in the markdown type note until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.