63 matches found
CVE-2026-40263
Note Mark is an open-source note-taking application. In versions 0.19.1 and prior, the login endpoint performs bcrypt password verification only when the supplied username exists, returning immediately for nonexistent usernames. This timing discrepancy allows unauthenticated attackers to enumerat...
CVE-2026-40265
Note Mark is an open-source note-taking application. In versions 0.19.1 and prior, the asset download endpoint at /api/notes/noteID/assets/assetID is registered without authentication middleware, and the backend query does not verify ownership or book visibility. An unauthenticated user who knows...
CVE-2026-41571
Note Mark is an open-source note-taking application. In version 0.19.2, IsPasswordMatch in backend/db/models.go falls back to a hard-coded bcrypt"null" placeholder whenever a user has no stored password. OIDC-registered users are created with an empty password, so anyone who submits password:...
PT-2026-37367
These are all security issues fixed in the icinga-php-library-0.19.2-1.1 package on the GA media of openSUSE Tumbleweed...
CVE-2026-41571
Note Mark is an open-source note-taking application. In version 0.19.2, IsPasswordMatch in backend/db/models.go falls back to a hard-coded bcrypt"null" placeholder whenever a user has no stored password. OIDC-registered users are created with an empty password, so anyone who submits password:...
CVE-2026-41571
Note Mark is an open-source note-taking application. In version 0.19.2, IsPasswordMatch in backend/db/models.go falls back to a hard-coded bcrypt"null" placeholder whenever a user has no stored password. OIDC-registered users are created with an empty password, so anyone who submits password:...
Note Mark 授权问题漏洞
Note Mark is a web-based Markdown note-taking application developed by Leo Spratt. Version 0.19.2 of Note Mark contains an authorization vulnerability. This vulnerability stems from the IsPasswordMatch function falling back to a hardcoded bcrypt empty password placeholder, allowing unauthenticate...
Timing Attack
Overview Affected versions of this package are vulnerable to Timing Attack via the login process. An attacker can obtain sensitive information about valid usernames by measuring response times and leveraging timing discrepancies. Remediation Upgrade github.com/enchant97/note-mark/backend/db to...
Missing Authorization
Overview Affected versions of this package are vulnerable to Missing Authorization via the asset download process. An attacker can access the full contents of private note assets by sending unauthenticated requests to the /api/notes/noteID/assets/assetID endpoint when valid note and asset IDs are...
Missing Authorization
Overview Affected versions of this package are vulnerable to Missing Authorization via the asset download process. An attacker can access the full contents of private note assets by sending unauthenticated requests to the /api/notes/noteID/assets/assetID endpoint when valid note and asset IDs are...
CVE-2026-40265
Note Mark is an open-source note-taking application. In versions 0.19.1 and prior, the asset download endpoint at /api/notes/noteID/assets/assetID is registered without authentication middleware, and the backend query does not verify ownership or book visibility. An unauthenticated user who knows...
CVE-2026-40263
Note Mark is an open-source note-taking application. In versions 0.19.1 and prior, the login endpoint performs bcrypt password verification only when the supplied username exists, returning immediately for nonexistent usernames. This timing discrepancy allows unauthenticated attackers to enumerat...
CVE-2026-40262
Note Mark is an open-source note-taking application. In versions 0.19.1 and prior, the asset delivery handler serves uploaded files inline and relies on magic-byte detection for content type, which does not identify text-based formats such as HTML, SVG, or XHTML. These files are served with an...
CVE-2026-40265
Note Mark is an open-source note-taking application. In versions 0.19.1 and prior, the asset download endpoint at /api/notes/noteID/assets/assetID is registered without authentication middleware, and the backend query does not verify ownership or book visibility. An unauthenticated user who knows...
CVE-2026-40265 Note Mark has Broken Access Control on Asset Download
Note Mark is an open-source note-taking application. In versions 0.19.1 and prior, the asset download endpoint at /api/notes/noteID/assets/assetID is registered without authentication middleware, and the backend query does not verify ownership or book visibility. An unauthenticated user who knows...
CVE-2026-40263
The connected PT Security disclosures confirm CVE-2026-40263 corresponds to a Username Enumeration flaw via the login endpoint in Note Mark. Affected component is the login/authentication flow; the underlying issue is CWE-208 (Username Enumeration). PT notes that Note Mark versions prior to 0.19....
CVE-2026-40263 Note Mark: Username Enumeration via Login Endpoint Timing Side-Channel
Note Mark is an open-source note-taking application. In versions 0.19.1 and prior, the login endpoint performs bcrypt password verification only when the supplied username exists, returning immediately for nonexistent usernames. This timing discrepancy allows unauthenticated attackers to enumerat...
CVE-2026-40263 Note Mark: Username Enumeration via Login Endpoint Timing Side-Channel
Note Mark is an open-source note-taking application. In versions 0.19.1 and prior, the login endpoint performs bcrypt password verification only when the supplied username exists, returning immediately for nonexistent usernames. This timing discrepancy allows unauthenticated attackers to enumerat...
CVE-2026-40262
In PT-Alert PT-2026-32118 (CVE-2026-40262) for Note Mark, a Stored XSS via Unrestricted Asset Upload is disclosed and fixed in version 0.19.2; all earlier versions are affected. Upgrade to 0.19.2 to mitigate. Other notes in the same disclosure reference related issues (CVE-2026-40263, CVE-2026-40...
CVE-2026-40262 Note Mark has Stored XSS via Unrestricted Asset Upload
Note Mark is an open-source note-taking application. In versions 0.19.1 and prior, the asset delivery handler serves uploaded files inline and relies on magic-byte detection for content type, which does not identify text-based formats such as HTML, SVG, or XHTML. These files are served with an...