CVE-2024-39904

Name of the Vulnerable Software and Affected Versions VNote versions prior to 3.18.1

Description A code execution issue existed in VNote, allowing an attacker to execute arbitrary programs on the victim's system. This could be achieved by using a crafted URI in a note, such as file:///C:/WINDOWS/system32/cmd.exe or file:///C:/WINDOWS/system32/calc.exe, which references a local executable file. The vulnerability can be exploited by creating and sharing specially crafted notes, potentially leading to further attacks.

Recommendations For versions prior to 3.18.1, update to version 3.18.1 to resolve the issue. As a temporary workaround, consider avoiding the use of file:/// links in notes until the update is applied. Restrict access to sharing notes from untrusted sources to minimize the risk of exploitation.