CVE-2023-3067 in triliuminfo

Summary

by MITRE • 06/02/2023

Cross-site Scripting (XSS) - Stored in GitHub repository zadam/trilium prior to 0.59.4.

Be aware that VulDB is the high quality source for vulnerability data.

Analysis

by VulDB Data Team • 01/26/2026

The vulnerability identified as CVE-2023-3067 represents a stored cross-site scripting flaw within the trilium note-taking application hosted on GitHub. This particular vulnerability affects versions prior to 0594 and stems from insufficient input validation and output encoding mechanisms within the application's web interface. The flaw allows attackers to inject malicious script code into the application's storage system, which then gets executed whenever other users view the affected content.

The technical implementation of this vulnerability occurs through the application's handling of user-supplied data within note content and other interactive elements. When users create or modify notes containing malicious script payloads, the application fails to properly sanitize or encode these inputs before storing them in the database. Subsequently, when other users access these notes, the stored script code executes within their browser context, creating a persistent XSS vector. This particular flaw falls under CWE-79 which specifically addresses cross-site scripting vulnerabilities, and more precisely aligns with CWE-80 which deals with the improper neutralization of script code in web applications.

The operational impact of this vulnerability extends beyond simple data theft or session hijacking. Attackers could potentially leverage this stored XSS to perform actions on behalf of authenticated users, including modifying note content, accessing sensitive information, or even executing arbitrary commands within the application's context. The persistent nature of stored XSS makes this particularly dangerous as the malicious payload remains active until manually removed from the database. This vulnerability directly maps to several ATT&CK techniques including T1566.001 for credential access through social engineering and T1059.007 for script execution through web shells, making it a significant threat vector for attackers seeking to establish persistent access to user environments.

Mitigation strategies for this vulnerability involve implementing comprehensive input validation and output encoding mechanisms throughout the application's data processing pipeline. The most effective immediate fix requires updating to version 0.59.4 or later, which includes proper sanitization of user inputs and robust HTML escaping for all stored content. Organizations should also implement Content Security Policy headers to limit script execution contexts and establish regular security auditing procedures to identify similar vulnerabilities in other web applications. Additionally, implementing proper web application firewalls and input validation layers can provide additional defense-in-depth measures against similar stored XSS attacks. The vulnerability demonstrates the critical importance of maintaining up-to-date security practices and the necessity of implementing secure coding principles throughout the software development lifecycle.

Responsible

Huntr.dev

Reservation

06/02/2023

Disclosure

06/02/2023

Moderation

accepted

CPE

ready

EPSS

0.00398

KEV

no

Activities

very low

Sources

Might our Artificial Intelligence support you?

Check our Alexa App!